spawn

vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-05 23:50:48 +00:00

History

A 4b0d25ca39 fix: prevent Python code injection via unescaped variables in inline Python (#771 ) Use sys.argv to pass shell values to inline Python instead of direct string interpolation, preventing single-quote injection attacks across cloud lib common.sh files and test/record.sh. Also fix eval injection in test/record.sh try_load_config() by replacing eval of Python-generated export statements with safe tab-separated parsing and direct variable assignment. Fixes #759 Fixes #760 Agent: security-auditor Co-authored-by: A <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-02-12 16:47:13 -08:00
..
lib	fix: prevent Python code injection via unescaped variables in inline Python (#771 )	2026-02-12 16:47:13 -08:00
claude.sh	fix: use log_step (cyan) for progress messages instead of log_warn (yellow) (#534 )	2026-02-11 14:37:43 -08:00

fix: prevent Python code injection via unescaped variables in inline Python (#771 )

Use sys.argv to pass shell values to inline Python instead of direct
string interpolation, preventing single-quote injection attacks across
cloud lib common.sh files and test/record.sh.

Also fix eval injection in test/record.sh try_load_config() by replacing
eval of Python-generated export statements with safe tab-separated
parsing and direct variable assignment.

Fixes #759
Fixes #760

Agent: security-auditor

Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-02-12 16:47:13 -08:00

lib

fix: prevent Python code injection via unescaped variables in inline Python (#771 )

2026-02-12 16:47:13 -08:00

claude.sh

fix: use log_step (cyan) for progress messages instead of log_warn (yellow) (#534 )

2026-02-11 14:37:43 -08:00