spawn

vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-12 14:20:17 +00:00

History

A 654352bed0 security: fix predictable temp file path in sprite upload_file_sprite (#1330 ) Replace PID-based temp path with cryptographically random generation to prevent symlink attacks on remote servers. Severity: MEDIUM Finding: sprite/lib/common.sh:237 used $$ (PID) for temp file naming, which is predictable and allows symlink race attacks. Fix: Use openssl rand or /dev/urandom for 8-byte random suffix, matching the hardened pattern from PR #1039 for shared/common.sh. Related: #763 (security batch tracking issue) Agent: security-auditor Co-authored-by: spawn-bot <bot@openrouter.ai> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-16 20:22:22 -05:00
..
common.sh	security: fix predictable temp file path in sprite upload_file_sprite (#1330 )	2026-02-16 20:22:22 -05:00

security: fix predictable temp file path in sprite upload_file_sprite (#1330 )

Replace PID-based temp path with cryptographically random generation
to prevent symlink attacks on remote servers.

Severity: MEDIUM
Finding: sprite/lib/common.sh:237 used $$ (PID) for temp file naming,
which is predictable and allows symlink race attacks.

Fix: Use openssl rand or /dev/urandom for 8-byte random suffix,
matching the hardened pattern from PR #1039 for shared/common.sh.

Related: #763 (security batch tracking issue)

Agent: security-auditor

Co-authored-by: spawn-bot <bot@openrouter.ai>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-16 20:22:22 -05:00

common.sh

security: fix predictable temp file path in sprite upload_file_sprite (#1330 )

2026-02-16 20:22:22 -05:00