vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-01 21:30:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8
spawn/sh/e2e/lib
History
A 9bf3c216e8
fix: harden provision.sh against command injection in env_b64 and app_name (#2444) 
- Validate app_name at function entry (alphanumeric, dots, hyphens, underscores
  only) before it's used in file paths or passed to cloud_exec
- Add trap-based cleanup for the temp file used during .spawnrc fallback creation
- Add security comments documenting the three-layer defense model: printf %q
  quoting, base64 encoding, and stdin piping (no interpolation into command
  strings)

The core vulnerability (env_b64 interpolated into the cloud_exec command string)
was already fixed in a prior commit that switched to stdin piping. This change
adds defense-in-depth and documentation.

Fixes #2437, #2441

Agent: code-health

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-10 10:07:23 -07:00
..
clouds fix: address SSH command injection risks in e2e cloud drivers (#2447) 2026-03-10 12:27:47 -04:00
common.sh fix: safe printf format strings and document e2e source usage (#2445) 2026-03-10 12:28:45 -04:00
provision.sh fix: harden provision.sh against command injection in env_b64 and app_name (#2444) 2026-03-10 10:07:23 -07:00
teardown.sh feat(e2e): multi-cloud test suite with cloud driver pattern (#2004) 2026-02-27 19:28:08 -08:00
verify.sh fix(e2e): add junie agent to E2E test harness (#2314) 2026-03-08 00:03:32 -05:00