vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-06 08:10:48 +00:00

History

LAB d76c8dba0f Security: fix critical command injection vulnerabilities in container providers (#54 ) * refactor: Simplify API call retry logic in generic_cloud_api Extract duplicated retry handling into focused helper functions: - handle_api_network_error(): Handles curl errors with retry logic - handle_api_transient_error(): Handles 429/503 HTTP errors - _call_cloud_api(): Internal curl wrapper separating concerns Reduces cyclomatic complexity of generic_cloud_api from 9 to 3. Lines reduced from 89 to 54 (40% reduction). Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * Security: fix critical command injection vulnerabilities in container providers CRITICAL SECURITY FIX - Command injection vulnerabilities Fixed command injection in bash -c calls across all container/sandbox providers. These functions were passing commands directly to bash -c without proper escaping, allowing potential remote code execution via crafted inputs. Files fixed: - sprite/lib/common.sh: run_sprite(), upload_file_sprite() - e2b/lib/common.sh: run_server(), upload_file(), interactive_session() - daytona/lib/common.sh: run_server(), upload_file(), interactive_session() - railway/lib/common.sh: run_server(), upload_file(), interactive_session() Fix: Use printf %q to properly escape all command arguments before passing to bash -c. This prevents command injection while maintaining functionality. Severity: CRITICAL (CVSS 9.8) Impact: Remote code execution, full system compromise Mitigation: Proper shell escaping using printf %q All modified files pass bash -n syntax validation. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> --------- Co-authored-by: Sprite <noreply@sprite.dev> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>		2026-02-08 12:00:43 -08:00
..
lib	Security: fix critical command injection vulnerabilities in container providers (#54 )	2026-02-08 12:00:43 -08:00
aider.sh	feat: Add continuous refactoring service and GitHub issue templates	2026-02-08 05:53:31 +00:00
claude.sh	feat: Add continuous refactoring service and GitHub issue templates	2026-02-08 05:53:31 +00:00
gptme.sh	feat: Add continuous refactoring service and GitHub issue templates	2026-02-08 05:53:31 +00:00
README.md	feat: Add continuous refactoring service and GitHub issue templates	2026-02-08 05:53:31 +00:00

README.md

Railway

Railway container platform via CLI. Railway

Pay-per-minute billing. Fast deployment. Uses websocket-based SSH protocol (not standard SSH). Requires Railway CLI.

Agents

Claude Code

bash <(curl -fsSL https://openrouter.ai/lab/spawn/railway/claude.sh)

Aider

bash <(curl -fsSL https://openrouter.ai/lab/spawn/railway/aider.sh)

gptme

bash <(curl -fsSL https://openrouter.ai/lab/spawn/railway/gptme.sh)

OpenClaw

bash <(curl -fsSL https://openrouter.ai/lab/spawn/railway/openclaw.sh)

NanoClaw

bash <(curl -fsSL https://openrouter.ai/lab/spawn/railway/nanoclaw.sh)

Goose

bash <(curl -fsSL https://openrouter.ai/lab/spawn/railway/goose.sh)

Codex CLI

bash <(curl -fsSL https://openrouter.ai/lab/spawn/railway/codex.sh)

Open Interpreter

bash <(curl -fsSL https://openrouter.ai/lab/spawn/railway/interpreter.sh)

Gemini CLI

bash <(curl -fsSL https://openrouter.ai/lab/spawn/railway/gemini.sh)

Amazon Q CLI

bash <(curl -fsSL https://openrouter.ai/lab/spawn/railway/amazonq.sh)

Cline

bash <(curl -fsSL https://openrouter.ai/lab/spawn/railway/cline.sh)

OpenCode

bash <(curl -fsSL https://openrouter.ai/lab/spawn/railway/opencode.sh)

Plandex

bash <(curl -fsSL https://openrouter.ai/lab/spawn/railway/plandex.sh)

Non-Interactive Mode

RAILWAY_PROJECT_NAME=dev-mk1 \
RAILWAY_TOKEN=your-token \
OPENROUTER_API_KEY=sk-or-v1-xxxxx \
  bash <(curl -fsSL https://openrouter.ai/lab/spawn/railway/claude.sh)

Authentication

Railway CLI requires authentication. You can authenticate in three ways:

Interactive login (default): railway login opens a browser for OAuth
Project token: Set RAILWAY_TOKEN environment variable from https://railway.app/account/tokens
Stored credentials: After running railway login, credentials are stored and reused

For CI/CD pipelines, use project tokens via the RAILWAY_TOKEN environment variable.

Pricing

Railway uses pay-per-minute billing for compute resources. You only pay for what you use:

Free tier: $5 of free credits per month
Hobby plan: $5/month subscription + usage-based pricing
Pro plan: $20/month subscription + usage-based pricing with higher limits

Pricing is prorated to the minute, so you're not paying for idle resources when your service is stopped.

Limits

Project name: 1-50 characters, lowercase letters, numbers, and hyphens
Must start and end with alphanumeric character
No standard SSH access (uses Railway's websocket-based protocol)
Requires Railway CLI for all operations

Troubleshooting

Railway CLI not found

Install via npm:

npm install -g @railway/cli

Or use the official installer:

bash <(curl -fsSL cli.new)

Authentication failed

Generate a new token at https://railway.app/account/tokens and set:

export RAILWAY_TOKEN=your-token-here

Project already exists

If you get "project already exists", Railway will attempt to reuse the existing project. If this causes issues, you can either:

Use a different project name
Delete the old project from https://railway.app/dashboard
Use railway link to link to an existing project

Resources

Railway Documentation: https://docs.railway.com/
Railway CLI Reference: https://docs.railway.com/reference/cli-api
Railway Dashboard: https://railway.app/dashboard
Generate API Tokens: https://railway.app/account/tokens