mirror of
https://github.com/OpenRouterTeam/spawn.git
synced 2026-05-07 09:10:55 +00:00
06351d6ea0
Add input validation for SSH connection parameters (IP, username, server_name) and server identifiers used in delete operations. This prevents command injection attacks if ~/.spawn/history.json is corrupted or tampered with. Changes: - Add validateConnectionIP() - validates IPv4/IPv6 addresses and sentinels - Add validateUsername() - validates Unix username format - Add validateServerIdentifier() - validates server names/IDs - Update cmdConnect() to validate all connection params before use - Update buildDeleteScript() to validate server IDs before interpolation - Update mergeLastConnection() to validate data from bash scripts - Add comprehensive test coverage for all validation functions - Bump CLI version to 0.3.3 (security patch) Security impact: - Prevents HIGH severity command injection via history.ip/user (issue #1381) - Prevents MEDIUM severity command injection via server_id (issue #1380) Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| __tests__ | ||
| commands.ts | ||
| guidance-data.ts | ||
| history.ts | ||
| index.ts | ||
| manifest.ts | ||
| security.ts | ||
| unicode-detect.ts | ||
| update-check.ts | ||