vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-07 09:10:55 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10
spawn/shared
History
A b5e8dbbfc5
security: fix temp file race condition in credential upload (#1333) 
HIGH severity: Three functions used hardcoded /tmp/env_config for uploading
API keys, creating a TOCTOU race condition where attackers on multi-user
systems could create symlinks to exfiltrate OPENROUTER_API_KEY and other
credentials.

Fixed by using unpredictable temp file names with mktemp-derived randomness,
matching the secure pattern in write_remote_file_via_callback().

Affected functions:
- inject_env_vars_with_ssh() (line 1094)
- inject_env_vars_local() (line 1128)
- inject_env_vars_cb() (line 1363)

Agent: security-auditor

Co-authored-by: spawn-bot <bot@openrouter.ai>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-16 20:25:59 -05:00
..
common.sh security: fix temp file race condition in credential upload (#1333) 2026-02-16 20:25:59 -05:00
github-auth.sh refactor: decompose ensure_jq and ensure_gh_cli into focused helpers (#994) 2026-02-13 12:14:56 -08:00
key-request.sh fix: HIGH severity security issues (command injection + weak VNC password) (#1150) 2026-02-14 20:39:48 -05:00