vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-04-28 11:59:29 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10
spawn/sh/e2e/lib
History
A e4bfd38443
security: pass encoded prompt via env var, not string interpolation (#2799) 
Fixes #2797. The _stage_prompt_remotely() function was interpolating
${encoded_prompt} directly into the remote command string passed to
cloud_exec. While _validate_base64() ensures only [A-Za-z0-9+/=]
characters are present, defense-in-depth requires eliminating the
interpolation entirely.

The fix uses printf %s format substitution to build the remote command,
placing the encoded prompt into a single-quoted shell variable assignment
(_EP='...') on the remote side. Single quotes prevent all shell expansion,
and base64 charset cannot contain single quotes, making injection
structurally impossible.

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-19 11:23:08 -07:00
..
clouds security: validate base64 output in cloud_exec and soak.sh (defense-in-depth) (#2532) 2026-03-12 09:32:48 -04:00
common.sh fix(e2e): add per-agent timeout to prevent silent hangs in E2E runs (#2720) 2026-03-17 13:16:09 -07:00
provision.sh fix(e2e): increase provision timeout for junie on hetzner (#2683) 2026-03-16 00:54:03 -07:00
soak.sh feat(qa): telegram soak test on digitalocean + fix bun -e (#2547) 2026-03-12 19:45:18 -04:00
teardown.sh feat(e2e): multi-cloud test suite with cloud driver pattern (#2004) 2026-02-27 19:28:08 -08:00
verify.sh security: pass encoded prompt via env var, not string interpolation (#2799) 2026-03-19 11:23:08 -07:00