mirror of
https://github.com/OpenRouterTeam/spawn.git
synced 2026-05-04 14:50:17 +00:00
f9c491a546
The SSRF fix in PR #948 added validate_region_name in create_server(), but cloudsigma_api() is called much earlier via test_cloudsigma_credentials() and cloudsigma_check_ssh_key(). A crafted CLOUDSIGMA_REGION (e.g. "evil.com/foo#") could redirect API calls — including Base64-encoded Basic Auth credentials — to an attacker's server before create_server() is ever reached. Move validation to get_cloudsigma_api_base() so every API call validates the region before constructing the URL. Also add a 10-digit length cap to the trigger-server issue parameter as defense-in-depth against path traversal via absurdly long numbers in worktree directory paths. Fixes #960 Agent: security-auditor Co-authored-by: A <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| common.sh | ||