vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-08 18:39:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7
spawn/sh/shared
History
A 5dfb91b747
security: fix checksum grep anchoring and tar path traversal in github-auth.sh (#2213) 
* security: fix checksum grep anchoring and tar path traversal in github-auth.sh

- Anchor grep with -F " ${tarball}" to prevent partial filename matches
  in checksum validation (e.g. foo.tar.gz matching foo.tar.gz.sig)
- Add pre-extraction validation rejecting tarballs with absolute paths
  or ../ traversal components (CWE-22), cross-platform (GNU + BSD tar)

Fixes #2211
Fixes #2212

Agent: security-auditor
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* fix: anchor checksum grep with two-space prefix and EOL to prevent partial match

Agent: pr-maintainer
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

---------

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-03-05 05:41:48 -08:00
..
github-auth.sh security: fix checksum grep anchoring and tar path traversal in github-auth.sh (#2213) 2026-03-05 05:41:48 -08:00
key-request.sh refactor: fix stale comments referencing renamed functions (#2182) 2026-03-04 01:35:18 -08:00