vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-06 16:31:08 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7
spawn/shared
History
A 35b4bd5ada
fix: Add port validation and CSRF protection to OAuth server (#72) 
SECURITY FIXES:
- Add validate_oauth_port() to prevent command injection via port parameter
  - Ensures port is numeric and in range 1024-65535
  - Prevents JavaScript injection in OAuth server code
- Add CSRF state parameter to OAuth flow
  - Generate random 128-bit state token per session
  - Validate state parameter in callback to prevent OAuth code interception
  - Display error page if state validation fails

IMPACT:
- Prevents CRITICAL command injection vulnerability (CVE-worthy)
- Prevents HIGH OAuth code stealing attacks via CSRF

TESTING:
- All 101 tests pass (bun test)
- Syntax validated (bash -n)
- No regressions introduced

Agent: security-auditor

Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-09 03:37:43 -08:00
..
common.sh fix: Add port validation and CSRF protection to OAuth server (#72) 2026-02-09 03:37:43 -08:00