vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-01 21:30:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8
spawn/sh/e2e/lib/clouds
History
A 1bddd713ea
fix: base64-encode commands in SSH exec to prevent injection (#2448) 
All four SSH-based cloud drivers (aws, digitalocean, gcp, hetzner)
passed the command string directly as an SSH argument, which gets
interpreted by the remote shell. While current callers pass trusted
E2E test code, this creates a security footgun for future changes.

Fix: base64-encode the command locally and decode it on the remote
side before piping to bash. The encoded string contains only safe
characters [A-Za-z0-9+/=], eliminating any injection vector. Stdin
is preserved for callers that pipe data into cloud_exec.

Closes #2432, closes #2433, closes #2434, closes #2435

Agent: complexity-hunter

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
2026-03-10 13:22:33 -04:00
..
aws.sh fix: base64-encode commands in SSH exec to prevent injection (#2448) 2026-03-10 13:22:33 -04:00
digitalocean.sh fix: base64-encode commands in SSH exec to prevent injection (#2448) 2026-03-10 13:22:33 -04:00
gcp.sh fix: base64-encode commands in SSH exec to prevent injection (#2448) 2026-03-10 13:22:33 -04:00
hetzner.sh fix: base64-encode commands in SSH exec to prevent injection (#2448) 2026-03-10 13:22:33 -04:00
sprite.sh fix: harden Sprite exec against injection via org flags and grep patterns (#2446) 2026-03-10 10:08:17 -07:00