mirror of
https://github.com/OpenRouterTeam/spawn.git
synced 2026-04-28 11:59:29 +00:00
1097f055c3
42 curl calls downloading JS bundles, CLI binaries, and gh CLI tarballs were missing --proto '=https', allowing protocol downgrade attacks on hostile networks. PR #2138 fixed bun installer calls; this closes the remaining gap for executable downloads. Fixes applied: - sh/{sprite,aws,gcp,hetzner,daytona,local}/{claude,codex,openclaw,opencode,kilocode,hermes,zeroclaw}.sh (42 files) - sh/cli/install.sh (cli.js download) - sh/shared/github-auth.sh (keyring, API, tarball downloads) Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
29 lines
1.2 KiB
Bash
29 lines
1.2 KiB
Bash
#!/bin/bash
|
|
set -eo pipefail
|
|
|
|
# Thin shim: ensures bun is available, runs bundled local.js (local or from GitHub release)
|
|
|
|
_ensure_bun() {
|
|
if command -v bun &>/dev/null; then return 0; fi
|
|
printf '\033[0;36mInstalling bun...\033[0m\n' >&2
|
|
curl -fsSL --proto '=https' --show-error https://bun.sh/install | bash >/dev/null || { printf '\033[0;31mFailed to install bun\033[0m\n' >&2; exit 1; }
|
|
export PATH="$HOME/.bun/bin:$PATH"
|
|
command -v bun &>/dev/null || { printf '\033[0;31mbun not found after install\033[0m\n' >&2; exit 1; }
|
|
}
|
|
|
|
_ensure_bun
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" 2>/dev/null && pwd)"
|
|
|
|
# Local checkout — run from source
|
|
if [[ -n "$SCRIPT_DIR" && -f "$SCRIPT_DIR/../../packages/cli/src/local/main.ts" ]]; then
|
|
exec bun run "$SCRIPT_DIR/../../packages/cli/src/local/main.ts" opencode "$@"
|
|
fi
|
|
|
|
# Remote — download bundled local.js from GitHub release
|
|
LOCAL_JS=$(mktemp)
|
|
trap 'rm -f "$LOCAL_JS"' EXIT
|
|
curl -fsSL --proto '=https' "https://github.com/OpenRouterTeam/spawn/releases/download/local-latest/local.js" -o "$LOCAL_JS" \
|
|
|| { printf '\033[0;31mFailed to download local.js\033[0m\n' >&2; exit 1; }
|
|
|
|
exec bun run "$LOCAL_JS" opencode "$@"
|