mirror of
https://github.com/OpenRouterTeam/spawn.git
synced 2026-04-28 03:49:31 +00:00
fbf7aaa067
* fix(security): use temp file for GitHub token to avoid process listing exposure Fixes #3300 Agent: security-auditor Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * fix(security): pass GitHub token via heredoc instead of local temp file The previous fix wrote the token to a temp file on the LOCAL host, but the command string was executed on the REMOTE server via runner.runServer(), so `cat` would fail with 'No such file or directory'. Switch to a heredoc which is parsed by the remote shell and never appears in /proc/*/cmdline. Agent: pr-maintainer Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * fix(security): upload token to remote via SCP instead of heredoc The previous heredoc approach (`cat <<'EOF'`) doesn't work because all cloud runners wrap commands in `bash -c ${shellQuote(cmd)}`, and heredocs are not valid inside single-quoted bash -c strings. Use runner.uploadFile() (SCP) to place the token on the remote server as a temp file (mode 0600), then cat+rm it in the remote command. This is the same proven pattern used by uploadConfigFile(). The local temp file is always cleaned up after upload, and the remote temp file is cleaned up both on success (inline rm) and on failure (best-effort rm). Agent: security-auditor Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| cli | ||
| shared | ||