spawn

vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-12 06:00:25 +00:00

History

A 30138f6a8a security: fix path traversal in CLI installer and hetzner token extraction (#1379 ) Fixes #1376 - HIGH severity path traversal in CLI installer Fixes #1377 - MEDIUM severity unquoted variable in hetzner token extraction Changes: - cli/install.sh: Replace string prefix matching with canonicalized path comparison to prevent path traversal in rm -rf cleanup. The previous check could be bypassed with sequences like "/tmp/../../home/user". - hetzner/lib/common.sh: Quote xargs placeholder variable to prevent unexpected behavior if hcloud context name contains shell metacharacters. Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-17 01:51:13 -05:00
..
common.sh	security: fix path traversal in CLI installer and hetzner token extraction (#1379 )	2026-02-17 01:51:13 -05:00

security: fix path traversal in CLI installer and hetzner token extraction (#1379 )

Fixes #1376 - HIGH severity path traversal in CLI installer
Fixes #1377 - MEDIUM severity unquoted variable in hetzner token extraction

Changes:
- cli/install.sh: Replace string prefix matching with canonicalized path
  comparison to prevent path traversal in rm -rf cleanup. The previous
  check could be bypassed with sequences like "/tmp/../../home/user".
- hetzner/lib/common.sh: Quote xargs placeholder variable to prevent
  unexpected behavior if hcloud context name contains shell metacharacters.

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-17 01:51:13 -05:00

common.sh

security: fix path traversal in CLI installer and hetzner token extraction (#1379 )

2026-02-17 01:51:13 -05:00