spawn

vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-11 05:00:07 +00:00

History

A 3e13a213f1 security: fix command injection in fly/lib/common.sh bash -c invocations (#1423 ) Quote $escaped_cmd inside the -C argument to bash -c in run_server() and interactive_session() to prevent word splitting. Without quotes, even though printf '%q' escapes shell metacharacters, the shell still splits the escaped command on whitespace before passing it to bash -c, enabling potential argument injection. Fixes #1422 Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-17 19:35:23 -05:00
..
common.sh	security: fix command injection in fly/lib/common.sh bash -c invocations (#1423 )	2026-02-17 19:35:23 -05:00

security: fix command injection in fly/lib/common.sh bash -c invocations (#1423 )

Quote $escaped_cmd inside the -C argument to bash -c in run_server()
and interactive_session() to prevent word splitting. Without quotes,
even though printf '%q' escapes shell metacharacters, the shell still
splits the escaped command on whitespace before passing it to bash -c,
enabling potential argument injection.

Fixes #1422

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-17 19:35:23 -05:00

common.sh

security: fix command injection in fly/lib/common.sh bash -c invocations (#1423 )

2026-02-17 19:35:23 -05:00