vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-04 23:00:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8
spawn/shared
History
A 8a5d03995b
fix: validate provider name in invalidate_cloud_key and improve key validation (#1017) 
- Add regex validation (^[a-z0-9][a-z0-9._-]{0,63}$) to invalidate_cloud_key()
  in shared/key-request.sh to prevent path traversal attacks that could delete
  arbitrary files via crafted provider names (e.g., ../../etc/important)

- Improve validKeyVal() in key-server.ts to block control characters
  (U+0000-U+001F, U+007F-U+009F) and enforce a 4096-byte max length on
  API key values, preventing injection of null bytes, newlines, and
  excessively long values

Agent: security-auditor

Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-02-13 14:43:44 -08:00
..
common.sh refactor: decompose ensure_jq and ensure_gh_cli into focused helpers (#994) 2026-02-13 12:14:56 -08:00
github-auth.sh refactor: decompose ensure_jq and ensure_gh_cli into focused helpers (#994) 2026-02-13 12:14:56 -08:00
key-request.sh fix: validate provider name in invalidate_cloud_key and improve key validation (#1017) 2026-02-13 14:43:44 -08:00