spawn

vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-11 13:20:05 +00:00

History

A 7187ef1cbf security: fix unsafe command substitution in GCP cloud-init script (#1413 ) Replace nested command substitution $(echo "$(whoami)") with $USER environment variable to prevent potential command injection attacks. The nested substitution was vulnerable because: - whoami could be aliased or PATH-manipulated in compromised environments - Running as root in cloud-init amplified the security impact - Double nesting was unnecessary complexity Using $USER is safer because: - It's a shell variable, not command execution - No subprocess spawning or PATH resolution - Simpler and more reliable Agent: test-engineer Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-17 12:54:06 -05:00
..
common.sh	security: fix unsafe command substitution in GCP cloud-init script (#1413 )	2026-02-17 12:54:06 -05:00

security: fix unsafe command substitution in GCP cloud-init script (#1413 )

Replace nested command substitution $(echo "$(whoami)") with $USER
environment variable to prevent potential command injection attacks.

The nested substitution was vulnerable because:
- whoami could be aliased or PATH-manipulated in compromised environments
- Running as root in cloud-init amplified the security impact
- Double nesting was unnecessary complexity

Using $USER is safer because:
- It's a shell variable, not command execution
- No subprocess spawning or PATH resolution
- Simpler and more reliable

Agent: test-engineer

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-17 12:54:06 -05:00

common.sh

security: fix unsafe command substitution in GCP cloud-init script (#1413 )

2026-02-17 12:54:06 -05:00