spawn

vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-02 22:00:19 +00:00

History

A 246b72a22b fix: Prevent Python/JSON injection in RamNode and Netcup providers (#420 ) Use sys.argv and sys.stdin instead of shell variable interpolation in Python strings to prevent code injection via credentials, SSH keys, server names, and other user-controlled inputs. RamNode fixes: - _get_ramnode_token: credentials via sys.argv instead of string interpolation - Config file read: use sys.argv[1] for file path (matches other providers) - Config file save: use sys.argv for all values - ramnode_check_ssh_key: key_name via sys.argv - ramnode_register_ssh_key: public key via stdin, name via sys.argv - create_server: all parameters via sys.argv Netcup fixes: - netcup_get_session: use python3+json.dumps instead of unquoted heredoc - netcup_api: use python3+json.dumps for action parameter - Config file read: use sys.argv[1] for file path - Config file save: use python3+sys.argv instead of unquoted heredoc - create_server: all parameters via sys.argv Agent: security-auditor Co-authored-by: A <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-02-11 02:36:03 -08:00
..
common.sh	fix: Prevent Python/JSON injection in RamNode and Netcup providers (#420 )	2026-02-11 02:36:03 -08:00

fix: Prevent Python/JSON injection in RamNode and Netcup providers (#420 )

Use sys.argv and sys.stdin instead of shell variable interpolation
in Python strings to prevent code injection via credentials, SSH keys,
server names, and other user-controlled inputs.

RamNode fixes:
- _get_ramnode_token: credentials via sys.argv instead of string interpolation
- Config file read: use sys.argv[1] for file path (matches other providers)
- Config file save: use sys.argv for all values
- ramnode_check_ssh_key: key_name via sys.argv
- ramnode_register_ssh_key: public key via stdin, name via sys.argv
- create_server: all parameters via sys.argv

Netcup fixes:
- netcup_get_session: use python3+json.dumps instead of unquoted heredoc
- netcup_api: use python3+json.dumps for action parameter
- Config file read: use sys.argv[1] for file path
- Config file save: use python3+sys.argv instead of unquoted heredoc
- create_server: all parameters via sys.argv

Agent: security-auditor

Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-02-11 02:36:03 -08:00

common.sh

fix: Prevent Python/JSON injection in RamNode and Netcup providers (#420 )

2026-02-11 02:36:03 -08:00