vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-09 19:49:58 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10
367 commits 27 branches 19 tags 24 MiB
Commit graph

4 commits

Author SHA1 Message Date
A
a24dc101e3
fix: Eliminate heredoc injection, eval, and API key exposure (#108) 
- Replace unquoted heredocs with printf + json_escape for all JSON
  config files containing credentials (8 cloud providers + shared lib)
- Replace eval with printf -v for safe indirect variable assignment
- Move RunPod API key from URL query param to api-key header

Fixes #104, Fixes #105, Fixes #106

Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-02-09 11:19:34 -08:00
LAB
d76c8dba0f
Security: fix critical command injection vulnerabilities in container providers (#54) 
* refactor: Simplify API call retry logic in generic_cloud_api

Extract duplicated retry handling into focused helper functions:
- handle_api_network_error(): Handles curl errors with retry logic
- handle_api_transient_error(): Handles 429/503 HTTP errors
- _call_cloud_api(): Internal curl wrapper separating concerns

Reduces cyclomatic complexity of generic_cloud_api from 9 to 3.
Lines reduced from 89 to 54 (40% reduction).

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* Security: fix critical command injection vulnerabilities in container providers

CRITICAL SECURITY FIX - Command injection vulnerabilities

Fixed command injection in bash -c calls across all container/sandbox providers.
These functions were passing commands directly to bash -c without proper escaping,
allowing potential remote code execution via crafted inputs.

Files fixed:
- sprite/lib/common.sh: run_sprite(), upload_file_sprite()
- e2b/lib/common.sh: run_server(), upload_file(), interactive_session()
- daytona/lib/common.sh: run_server(), upload_file(), interactive_session()
- railway/lib/common.sh: run_server(), upload_file(), interactive_session()

Fix: Use printf %q to properly escape all command arguments before passing to bash -c.
This prevents command injection while maintaining functionality.

Severity: CRITICAL (CVSS 9.8)
Impact: Remote code execution, full system compromise
Mitigation: Proper shell escaping using printf %q

All modified files pass bash -n syntax validation.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Sprite <noreply@sprite.dev>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-02-08 12:00:43 -08:00
Sprite
8f37ce3649 refactor: Automated improvements from cycle 1 
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-02-08 06:02:07 +00:00
Sprite
2c7ed48560 feat: Add continuous refactoring service and GitHub issue templates 
- Add refactor.sh: Continuous service that spawns Claude Code agent teams
- Team roles: security-auditor, ux-engineer, complexity-hunter, test-engineer, issue-triager
- Focus on security, UX, complexity reduction, testing, and GitHub issue response
- Add GitHub issue template for bug reports (focused on error logs)
- Auto-triages and responds to issues within 1 hour

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-02-08 05:53:31 +00:00