spawn

vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-04-30 21:09:29 +00:00

History

LAB d76c8dba0f Security: fix critical command injection vulnerabilities in container providers (#54 ) * refactor: Simplify API call retry logic in generic_cloud_api Extract duplicated retry handling into focused helper functions: - handle_api_network_error(): Handles curl errors with retry logic - handle_api_transient_error(): Handles 429/503 HTTP errors - _call_cloud_api(): Internal curl wrapper separating concerns Reduces cyclomatic complexity of generic_cloud_api from 9 to 3. Lines reduced from 89 to 54 (40% reduction). Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * Security: fix critical command injection vulnerabilities in container providers CRITICAL SECURITY FIX - Command injection vulnerabilities Fixed command injection in bash -c calls across all container/sandbox providers. These functions were passing commands directly to bash -c without proper escaping, allowing potential remote code execution via crafted inputs. Files fixed: - sprite/lib/common.sh: run_sprite(), upload_file_sprite() - e2b/lib/common.sh: run_server(), upload_file(), interactive_session() - daytona/lib/common.sh: run_server(), upload_file(), interactive_session() - railway/lib/common.sh: run_server(), upload_file(), interactive_session() Fix: Use printf %q to properly escape all command arguments before passing to bash -c. This prevents command injection while maintaining functionality. Severity: CRITICAL (CVSS 9.8) Impact: Remote code execution, full system compromise Mitigation: Proper shell escaping using printf %q All modified files pass bash -n syntax validation. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> --------- Co-authored-by: Sprite <noreply@sprite.dev> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-08 12:00:43 -08:00
..
common.sh	Security: fix critical command injection vulnerabilities in container providers (#54 )	2026-02-08 12:00:43 -08:00

Security: fix critical command injection vulnerabilities in container providers (#54 )

* refactor: Simplify API call retry logic in generic_cloud_api

Extract duplicated retry handling into focused helper functions:
- handle_api_network_error(): Handles curl errors with retry logic
- handle_api_transient_error(): Handles 429/503 HTTP errors
- _call_cloud_api(): Internal curl wrapper separating concerns

Reduces cyclomatic complexity of generic_cloud_api from 9 to 3.
Lines reduced from 89 to 54 (40% reduction).

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* Security: fix critical command injection vulnerabilities in container providers

CRITICAL SECURITY FIX - Command injection vulnerabilities

Fixed command injection in bash -c calls across all container/sandbox providers.
These functions were passing commands directly to bash -c without proper escaping,
allowing potential remote code execution via crafted inputs.

Files fixed:
- sprite/lib/common.sh: run_sprite(), upload_file_sprite()
- e2b/lib/common.sh: run_server(), upload_file(), interactive_session()
- daytona/lib/common.sh: run_server(), upload_file(), interactive_session()
- railway/lib/common.sh: run_server(), upload_file(), interactive_session()

Fix: Use printf %q to properly escape all command arguments before passing to bash -c.
This prevents command injection while maintaining functionality.

Severity: CRITICAL (CVSS 9.8)
Impact: Remote code execution, full system compromise
Mitigation: Proper shell escaping using printf %q

All modified files pass bash -n syntax validation.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Sprite <noreply@sprite.dev>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-08 12:00:43 -08:00

common.sh

Security: fix critical command injection vulnerabilities in container providers (#54 )

2026-02-08 12:00:43 -08:00