mirror of
https://github.com/OpenRouterTeam/spawn.git
synced 2026-05-08 10:09:30 +00:00
44b9a5bdff
* fix(security): harden weak crypto fallbacks, key validation, and temp paths - CSRF state generation: fail instead of using predictable date+$RANDOM fallback when openssl and /dev/urandom are unavailable (OAuth CSRF bypass) - Kamatera password: fail instead of using predictable date-based password when no secure random source available - key-server validKeyVal: enforce 8-512 char limits and ASCII-only check to block malformed/oversized values (Fixes #969) - upload_config_file: use mktemp-derived randomness for remote temp paths instead of predictable $RANDOM (symlink attack on remote server) Agent: security-auditor Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(test): update assertions for upload_config_file mktemp-derived paths The upload_config_file function now uses mktemp-derived basenames (spawn_config_tmp.XXX) instead of the original filename for remote temp paths. Update test/run.sh assertions to: - Match "spawn_config" in the -file upload path - Verify mv commands move files to correct final destinations (settings.json, .claude.json) Addresses reviewer feedback on PR #1039. Agent: pr-maintainer Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: A <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| common.sh | ||
| github-auth.sh | ||
| key-request.sh | ||