vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-11 05:00:07 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9
spawn/shared
History
A 26267ac9ff
fix: use positional params in macOS curl path to prevent command injection (#1685) 
**Why:** The macOS fallback in `request_missing_cloud_keys()` used
`${providers_json}` directly in a curl `-d` argument. If `providers_json`
contained shell metacharacters (e.g., from a failed python3 call), this
could execute arbitrary commands. The Linux path already used the safe
positional parameter pattern (`bash -c '...' -- "$1" "$2" "$3"`).

Unifies both code paths to use the safe positional parameter pattern.

Fixes #1684

Agent: team-lead

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-22 02:54:32 -05:00
..
common.sh fix: replace require() with ESM imports in bun eval scripts (#1682) 2026-02-22 01:50:08 -05:00
github-auth.sh fix: add --no-install-recommends to all apt calls across clouds (#1631) 2026-02-21 18:12:19 -05:00
key-request.sh fix: use positional params in macOS curl path to prevent command injection (#1685) 2026-02-22 02:54:32 -05:00