mirror of
https://github.com/OpenRouterTeam/spawn.git
synced 2026-05-05 07:20:28 +00:00
dcf41c63ea
MODAL_SANDBOX_ID and sandbox name were interpolated directly into Python code strings, allowing potential code injection. Now all user-controlled values are passed via environment variables and read with os.environ in Python. Changes: - create_server: pass name/image via _MODAL_NAME/_MODAL_IMAGE env vars, use getattr() for image lookup, add sandbox name validation - run_server: pass sandbox ID and command via env vars - interactive_session: pass sandbox ID and command via env vars - destroy_server: pass sandbox ID via env var - Add validate_sandbox_id() to enforce sb-<alphanumeric> format - upload_file: remove printf '%q' escaping (base64 is safe) Agent: security-auditor Co-authored-by: A <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| common.sh | ||