A 9a98589cef fix(security): prevent command injection via INPUT_TEST_TIMEOUT in verify.sh (#2851) ... Add defense-in-depth validation of INPUT_TEST_TIMEOUT directly in verify.sh (not just relying on common.sh). Each input test function now calls _validate_timeout() to ensure the value contains only digits before use. Additionally, instead of interpolating INPUT_TEST_TIMEOUT directly into remote command strings passed to cloud_exec, the timeout value is now assigned to a single-quoted remote variable (_TIMEOUT) and referenced via "$_TIMEOUT" on the remote side. This eliminates the injection surface even if validation were somehow bypassed. Affected functions: input_test_claude(), input_test_codex(), input_test_openclaw(), input_test_zeroclaw(). Fixes #2849 Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>		2026-03-20 19:58:52 -07:00
..
clouds	security: base64-encode cmd in _sprite_exec to prevent injection (#2803)	2026-03-19 13:19:07 -07:00
common.sh	fix(e2e): add per-agent timeout to prevent silent hangs in E2E runs (#2720)	2026-03-17 13:16:09 -07:00
interactive.sh	feat: never-give-up resilience layer (#2807)	2026-03-19 17:33:22 -07:00
provision.sh	fix(e2e): increase provision timeout for junie on hetzner (#2683)	2026-03-16 00:54:03 -07:00
soak.sh	feat(qa): telegram soak test on digitalocean + fix bun -e (#2547)	2026-03-12 19:45:18 -04:00
teardown.sh	feat(e2e): multi-cloud test suite with cloud driver pattern (#2004)	2026-02-27 19:28:08 -08:00
verify.sh	fix(security): prevent command injection via INPUT_TEST_TIMEOUT in verify.sh (#2851)	2026-03-20 19:58:52 -07:00