spawn

vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-19 16:39:50 +00:00

History

A 1bddd713ea fix: base64-encode commands in SSH exec to prevent injection (#2448 ) All four SSH-based cloud drivers (aws, digitalocean, gcp, hetzner) passed the command string directly as an SSH argument, which gets interpreted by the remote shell. While current callers pass trusted E2E test code, this creates a security footgun for future changes. Fix: base64-encode the command locally and decode it on the remote side before piping to bash. The encoded string contains only safe characters [A-Za-z0-9+/=], eliminating any injection vector. Stdin is preserved for callers that pipe data into cloud_exec. Closes #2432, closes #2433, closes #2434, closes #2435 Agent: complexity-hunter Co-authored-by: B <6723574+louisgv@users.noreply.github.com>		2026-03-10 13:22:33 -04:00
..
aws	fix: pin bun install to v1.3.9 in all agent scripts (#2345 )	2026-03-08 12:47:18 -04:00
cli	fix: safe printf format strings and document e2e source usage (#2445 )	2026-03-10 12:28:45 -04:00
digitalocean	fix: pin bun install to v1.3.9 in all agent scripts (#2345 )	2026-03-08 12:47:18 -04:00
docker	fix: pin bun install to v1.3.9 in all agent scripts (#2345 )	2026-03-08 12:47:18 -04:00
e2e	fix: base64-encode commands in SSH exec to prevent injection (#2448 )	2026-03-10 13:22:33 -04:00
gcp	fix: pin bun install to v1.3.9 in all agent scripts (#2345 )	2026-03-08 12:47:18 -04:00
hetzner	fix: pin bun install to v1.3.9 in all agent scripts (#2345 )	2026-03-08 12:47:18 -04:00
local	fix: pin bun install to v1.3.9 in all agent scripts (#2345 )	2026-03-08 12:47:18 -04:00
shared	fix(security): fail on chmod error in github-auth.sh token persistence (#2375 )	2026-03-09 08:18:07 -04:00
sprite	fix: pin bun install to v1.3.9 in all agent scripts (#2345 )	2026-03-08 12:47:18 -04:00
test	refactor: Remove dead code and stale references (#2062 )	2026-03-01 11:45:24 -05:00