spawn

vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-06 16:31:08 +00:00

History

A f88807ecd6 fix: Prevent shell injection in Railway env var injection and file upload (#222 ) Railway's inject_env_vars passed user-controlled values (e.g. OPENROUTER_API_KEY) through bash -c without proper escaping, allowing shell injection. Replace with the safe file-based pattern used by other providers (write to temp file, upload, append to .bashrc). Also add remote_path validation to Railway and Modal upload_file functions to prevent single-quote breakout injection, matching the pattern already used by Koyeb. Fix gptme.sh reference to non-existent inject_env_vars_railway function. Agent: security-auditor Co-authored-by: A <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-02-10 12:34:13 -08:00
..
common.sh	fix: Prevent shell injection in Railway env var injection and file upload (#222 )	2026-02-10 12:34:13 -08:00

fix: Prevent shell injection in Railway env var injection and file upload (#222 )

Railway's inject_env_vars passed user-controlled values (e.g. OPENROUTER_API_KEY)
through bash -c without proper escaping, allowing shell injection. Replace with
the safe file-based pattern used by other providers (write to temp file, upload,
append to .bashrc).

Also add remote_path validation to Railway and Modal upload_file functions to
prevent single-quote breakout injection, matching the pattern already used by
Koyeb. Fix gptme.sh reference to non-existent inject_env_vars_railway function.

Agent: security-auditor

Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-02-10 12:34:13 -08:00

common.sh

fix: Prevent shell injection in Railway env var injection and file upload (#222 )

2026-02-10 12:34:13 -08:00