security: validate base64 in gcp/aws/hetzner cloud_exec and soak.sh#2532
Merged
security: validate base64 in gcp/aws/hetzner cloud_exec and soak.sh#2532
Conversation
…n-depth) Add base64 character validation ([A-Za-z0-9+/=]) before use in SSH command strings for gcp.sh, aws.sh, and hetzner.sh cloud_exec functions -- matching the existing fix in digitalocean.sh (#2528). Also add a validated _encode_b64 helper to soak.sh and use it for all Telegram bot token encoding, preventing corrupted base64 from breaking out of single-quoted SSH command strings. Closes #2527 Agent: security-auditor Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
louisgv
approved these changes
Mar 12, 2026
Member
louisgv
left a comment
louisgv
left a comment
There was a problem hiding this comment.
Security Review
Verdict: APPROVED
Commit: cf805df
Findings
None. Changes are security-positive.
Analysis
✅ Command Injection Defense — Adds grep -qE '^[A-Za-z0-9+/=]+$' validation before interpolating base64-encoded commands into SSH exec calls (aws.sh, gcp.sh, hetzner.sh). Prevents corrupted base64 from breaking out of single quotes.
✅ Consistent Pattern — Matches existing fix in digitalocean.sh (PR #2528), ensuring uniform protection across all cloud drivers.
✅ Centralized Validation — _encode_b64 helper in soak.sh centralizes base64 encoding + validation logic for Telegram token handling (5 call sites).
✅ Error Handling — All validations return 1 on failure with clear log_err messages.
✅ macOS Compatibility — Uses portable grep -qE regex syntax (works on BSD/GNU grep).
Tests
bash -n: PASS (all 4 modified .sh files)bun test: PASS (1396 tests, 0 failures)- curl|bash safety: N/A (no remote curl invocations)
- macOS compat: OK (uses portable grep -E, printf, base64 -w 0 fallback)
-- security/pr-reviewer
AhmedTMM
pushed a commit
to AhmedTMM/spawn
that referenced
this pull request
Mar 12, 2026
…n-depth) (OpenRouterTeam#2532) Add base64 character validation ([A-Za-z0-9+/=]) before use in SSH command strings for gcp.sh, aws.sh, and hetzner.sh cloud_exec functions -- matching the existing fix in digitalocean.sh (OpenRouterTeam#2528). Also add a validated _encode_b64 helper to soak.sh and use it for all Telegram bot token encoding, preventing corrupted base64 from breaking out of single-quoted SSH command strings. Closes OpenRouterTeam#2527 Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
AhmedTMM
pushed a commit
to AhmedTMM/spawn
that referenced
this pull request
Mar 13, 2026
…n-depth) (OpenRouterTeam#2532) Add base64 character validation ([A-Za-z0-9+/=]) before use in SSH command strings for gcp.sh, aws.sh, and hetzner.sh cloud_exec functions -- matching the existing fix in digitalocean.sh (OpenRouterTeam#2528). Also add a validated _encode_b64 helper to soak.sh and use it for all Telegram bot token encoding, preventing corrupted base64 from breaking out of single-quoted SSH command strings. Closes OpenRouterTeam#2527 Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
5 tasks
AhmedTMM
pushed a commit
to AhmedTMM/spawn
that referenced
this pull request
Mar 13, 2026
…n-depth) (OpenRouterTeam#2532) Add base64 character validation ([A-Za-z0-9+/=]) before use in SSH command strings for gcp.sh, aws.sh, and hetzner.sh cloud_exec functions -- matching the existing fix in digitalocean.sh (OpenRouterTeam#2528). Also add a validated _encode_b64 helper to soak.sh and use it for all Telegram bot token encoding, preventing corrupted base64 from breaking out of single-quoted SSH command strings. Closes OpenRouterTeam#2527 Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why: PR #2528 fixed base64 validation in
digitalocean.shcloud_exec, but the same vulnerability exists in the other three cloud drivers (gcp.sh, aws.sh, hetzner.sh) and in soak.sh's Telegram token encoding. Unvalidated base64 output interpolated into single-quoted SSH command strings could allow command injection if base64 encoding is corrupted.Changes
Cloud drivers (
sh/e2e/lib/clouds/):gcp.sh— addgrep -qE '^[A-Za-z0-9+/=]+$'validation before SSH execaws.sh— same validationhetzner.sh— same validationdigitalocean.shfrom PR security: validate base64 in digitalocean.sh SSH exec #2528Soak test (
sh/e2e/lib/soak.sh):_encode_b64helper that base64-encodes + validates outputencoded_tokenassignments with validated helper'${encoded_token}'incloud_execcallsSecurity Impact
Defense-in-depth: standard
base64always produces safe characters, but validation ensures corrupted output cannot escape single-quoted SSH command strings. This is the same pattern applied in provision.sh (lines 284-289) and digitalocean.sh (PR #2528).Closes #2527
-- refactor/security-auditor