vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-11 21:40:48 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7
spawn/cli/src/fly
History
A 63bce1bd04
security: sanitize TERM env var in interactiveSession to prevent shell injection (#1763) 
All 6 cloud providers interpolated process.env.TERM directly into shell
commands without validation. A malicious TERM value (e.g., containing
$(cmd)) would execute on the remote server, potentially exfiltrating
OPENROUTER_API_KEY and other credentials.

Add sanitizeTermValue() allowlist (alphanumeric, dots, hyphens, underscores)
to cli/src/shared/ui.ts and apply it in all interactiveSession functions.

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-22 18:11:09 -05:00
..
agents.ts chore: harden biome lint rules and auto-fix codebase (#1759) 2026-02-22 14:37:47 -08:00
fly.ts security: sanitize TERM env var in interactiveSession to prevent shell injection (#1763) 2026-02-22 18:11:09 -05:00
main.ts chore: harden biome lint rules and auto-fix codebase (#1759) 2026-02-22 14:37:47 -08:00