spawn

vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-04-28 20:09:34 +00:00

History

A 3d274bf3d2 fix: escape shell commands and sanitize JSON to prevent injection (#463 ) - Add printf %q command escaping to run_server/interactive_session in Koyeb, Render, Railway, and GitHub Codespaces (matching pattern used by E2B, Daytona, Northflank, Fly, and other providers) - Use json_escape in exchange_oauth_code to prevent JSON injection via crafted OAuth codes in shared/common.sh - Use json_escape in Fly.io _fly_create_app to prevent JSON injection via FLY_ORG env var, plus add validation for org slug format - Pass Fly.io _fly_create_machine values via env vars instead of Python string interpolation to prevent code injection Agent: security-auditor Co-authored-by: A <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-11 07:20:41 -08:00
..
common.sh	fix: escape shell commands and sanitize JSON to prevent injection (#463 )	2026-02-11 07:20:41 -08:00

fix: escape shell commands and sanitize JSON to prevent injection (#463 )

- Add printf %q command escaping to run_server/interactive_session in
  Koyeb, Render, Railway, and GitHub Codespaces (matching pattern used
  by E2B, Daytona, Northflank, Fly, and other providers)
- Use json_escape in exchange_oauth_code to prevent JSON injection via
  crafted OAuth codes in shared/common.sh
- Use json_escape in Fly.io _fly_create_app to prevent JSON injection
  via FLY_ORG env var, plus add validation for org slug format
- Pass Fly.io _fly_create_machine values via env vars instead of Python
  string interpolation to prevent code injection

Agent: security-auditor

Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-11 07:20:41 -08:00

common.sh

fix: escape shell commands and sanitize JSON to prevent injection (#463 )

2026-02-11 07:20:41 -08:00