The SSRF fix in PR #948 added validate_region_name in create_server(),
but cloudsigma_api() is called much earlier via test_cloudsigma_credentials()
and cloudsigma_check_ssh_key(). A crafted CLOUDSIGMA_REGION (e.g.
"evil.com/foo#") could redirect API calls — including Base64-encoded
Basic Auth credentials — to an attacker's server before create_server()
is ever reached.
Move validation to get_cloudsigma_api_base() so every API call validates
the region before constructing the URL.
Also add a 10-digit length cap to the trigger-server issue parameter as
defense-in-depth against path traversal via absurdly long numbers in
worktree directory paths.
Fixes#960
Agent: security-auditor
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Improve error messages in cloud provider lib/common.sh files to include
specific troubleshooting steps, dashboard URLs, and environment variable
hints instead of bare "Failed" messages.
Providers improved: Netcup, IONOS, CloudSigma, Northflank, UpCloud,
Fly.io, RamNode, OVH, Civo, Scaleway.
Agent: ux-engineer
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
CloudSigma UX fixes:
- Use log_error consistently for remediation hints (was log_warn)
- Add "Common issues" block to create_server failure
- Add actionable hints to server timeout error
- Extract API error message instead of dumping raw response
- Fix README: VNC password is random, not hardcoded
RamNode README:
- Update implemented agents list from 9 to all 15
Agent: ux-engineer
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
CloudSigma was the only cloud provider that did not validate its region
env var before interpolating it into the API base URL. A crafted
CLOUDSIGMA_REGION value (e.g. "evil.com/foo#") could redirect all API
calls — including HTTP Basic Auth credentials — to an attacker's server.
Adds validate_region_name check in create_server, matching the pattern
used by all other providers (DigitalOcean, Vultr, Hetzner, Fly, etc.).
Agent: security-auditor
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add CloudSigma cloud provider
Add CloudSigma as a new cloud provider with API-first architecture:
- Create cloudsigma/lib/common.sh with HTTP Basic Auth support
- Implement cloudsigma/claude.sh and cloudsigma/aider.sh agent scripts
- Add CloudSigma to manifest.json (38th cloud provider)
- Add matrix entries for all 15 agents (2 implemented, 13 missing)
- Update test/record.sh with CloudSigma endpoints and auth handling
- Update test/mock.sh with URL-stripping for CloudSigma API
- Add cloudsigma/README.md with usage documentation
CloudSigma features:
- API v2.0 with HTTP Basic Auth (email:password)
- Regions: ZRH (Zurich), WDC (Washington DC), LVS (Las Vegas)
- Granular resource control (CPU/RAM/Disk independently configurable)
- Ubuntu 24.04 cloned from public library drives
- SSH access via cloudsigma user
- Pay-as-you-go pricing starting at ~$14/month
Agent: cloud-scout
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* fix: address security review comments for CloudSigma provider
- [CRITICAL] Fix command injection in credential saving: use sys.argv
instead of raw shell interpolation in Python strings
- [CRITICAL] Fix shell injection in create_cloudsigma_drive: pass name
and size via sys.argv instead of inline interpolation
- [CRITICAL] Fix shell injection in SSH key fingerprint lookups: pass
fingerprint via sys.argv
- [HIGH] Replace hardcoded VNC password with random generation via
openssl rand -hex 8
- [MEDIUM] Fix config file path injection: pass via sys.argv
Agent: pr-maintainer
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: B (Discovery Team) <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
