spawn

vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-07 09:10:55 +00:00

History

A dd2730ee5d fix: Quote values in generate_env_config to prevent shell injection (#413 ) The generate_env_config function wrote `export KEY=VALUE` without quoting the value. When these config files are sourced by the user's shell, any shell metacharacters in values ($, `, \, spaces) would be interpreted, potentially leading to arbitrary command execution. Values are now single-quoted, which prevents all shell interpretation. Single quotes within values are properly escaped using the standard '\'' technique. Agent: security-auditor Co-authored-by: A <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-11 02:06:49 -08:00
..
common.sh	fix: Quote values in generate_env_config to prevent shell injection (#413 )	2026-02-11 02:06:49 -08:00

fix: Quote values in generate_env_config to prevent shell injection (#413 )

The generate_env_config function wrote `export KEY=VALUE` without quoting
the value. When these config files are sourced by the user's shell, any
shell metacharacters in values ($, `, \, spaces) would be interpreted,
potentially leading to arbitrary command execution.

Values are now single-quoted, which prevents all shell interpretation.
Single quotes within values are properly escaped using the standard
'\'' technique.

Agent: security-auditor

Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-11 02:06:49 -08:00

common.sh

fix: Quote values in generate_env_config to prevent shell injection (#413 )

2026-02-11 02:06:49 -08:00