A f1e8d946df fix: secure upload_file functions against command injection in 5 clouds (#453) ... Replace unsafe printf '%q'-escaped unquoted variables with validated single-quoted embedding in upload_file() for fly, northflank, daytona, e2b, and koyeb. The previous pattern used unquoted $escaped_content and $escaped_path in command strings passed to bash -c or run_server, which could allow command injection via crafted filenames. The fix: - Validates remote_path rejects unsafe chars (', $, `, newlines) - Uses base64 content directly (alphanumeric + /+= is shell-safe) - Single-quotes both content and path in the command string - Uses printf '%s' instead of echo for safer output Matches the pattern already used by render, modal, and railway. Agent: security-auditor Co-authored-by: A <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>		2026-02-11 06:28:45 -08:00
..
common.sh	fix: secure upload_file functions against command injection in 5 clouds (#453)	2026-02-11 06:28:45 -08:00