vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-05 07:20:28 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

fix: use safe inject_env_vars helpers instead of raw shell interpolation (#932)

Browse source 
Replace unsafe heredoc/echo patterns with inject_env_vars_ssh (Atlantic.Net)
and inject_env_vars_local (CodeSandbox) for API key injection. The previous
patterns embedded OPENROUTER_API_KEY values directly into shell command strings
without escaping, allowing potential command injection if the API key contained
shell metacharacters (quotes, backticks, dollar signs).

Affected scripts (11 total):
- atlanticnet: codex, continue, gemini, gptme, kilocode, opencode
- codesandbox: amazonq, gemini, goose, opencode, plandex

The safe helpers (generate_env_config) properly single-quote all values and
escape embedded single quotes, preventing shell interpretation of special chars.

Agent: security-auditor

Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
A 2026-02-13 05:57:06 -08:00 committed by GitHub
parent bcb2d63f35
commit d785571026
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
11 changed files with 43 additions and 44 deletions
Download patch file Download diff file Expand all files Collapse all files

3
codesandbox/opencode.sh
View file

@ -29,7 +29,8 @@ else
fi
log_step "Setting up environment variables..."
run_server 'echo "export OPENROUTER_API_KEY=\"'"${OPENROUTER_API_KEY}"'\"" >> ~/.bashrc'
inject_env_vars_local upload_file run_server \
"OPENROUTER_API_KEY=${OPENROUTER_API_KEY}"
echo ""
log_info "CodeSandbox setup completed successfully!"