vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-23 12:53:58 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7
spawn/test
History
A 4b0d25ca39
fix: prevent Python code injection via unescaped variables in inline Python (#771) 
Use sys.argv to pass shell values to inline Python instead of direct
string interpolation, preventing single-quote injection attacks across
cloud lib common.sh files and test/record.sh.

Also fix eval injection in test/record.sh try_load_config() by replacing
eval of Python-generated export statements with safe tab-separated
parsing and direct variable assignment.

Fixes #759
Fixes #760

Agent: security-auditor

Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-02-12 16:47:13 -08:00
..
fixtures QA-Bot setup (#335) 2026-02-10 19:51:07 -08:00
mock.sh refactor: extract helpers from run_test() in test/mock.sh (#713) 2026-02-12 15:01:49 -08:00
qa-dry-run.sh feat: qa bot and emails (#565) 2026-02-11 20:19:45 -08:00
record.sh fix: prevent Python code injection via unescaped variables in inline Python (#771) 2026-02-12 16:47:13 -08:00
run.sh fix: replace ((var++)) with var=$((var + 1)) for macOS bash 3.x compat (#769) 2026-02-12 16:45:51 -08:00
update-readme.py QA-Bot setup (#335) 2026-02-10 19:51:07 -08:00