vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-01 21:30:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7
spawn/sh/e2e/lib/clouds
History
A 3724bb8ba4
fix: address SSH command injection risks in e2e cloud drivers (#2447) 
Add defense-in-depth validation across all e2e cloud driver scripts:

- Validate IP addresses match IPv4 format before use in SSH commands
  (aws, digitalocean, gcp, hetzner)
- Validate SSH username contains only safe characters (gcp)
- Validate resource IDs are numeric before interpolating into API URLs
  (digitalocean droplet IDs, hetzner server IDs)
- URL-encode app name in Hetzner API query parameter to prevent
  query parameter injection
- Validate numeric env vars (INPUT_TEST_TIMEOUT, PROVISION_TIMEOUT,
  INSTALL_WAIT) that get interpolated into remote command strings

Fixes #2432, #2433, #2434, #2435, #2442

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-10 12:27:47 -04:00
..
aws.sh fix: address SSH command injection risks in e2e cloud drivers (#2447) 2026-03-10 12:27:47 -04:00
digitalocean.sh fix: address SSH command injection risks in e2e cloud drivers (#2447) 2026-03-10 12:27:47 -04:00
gcp.sh fix: address SSH command injection risks in e2e cloud drivers (#2447) 2026-03-10 12:27:47 -04:00
hetzner.sh fix: address SSH command injection risks in e2e cloud drivers (#2447) 2026-03-10 12:27:47 -04:00
sprite.sh refactor: remove dead cloud_exec_long and _*_exec_long functions (#2407) 2026-03-09 19:39:53 -07:00