security: validate base64 in digitalocean.sh SSH exec#2528
Merged
Conversation
Add explicit base64 character validation in _digitalocean_exec after encoding the command, matching the existing pattern in provision.sh. This ensures the encoded value contains only [A-Za-z0-9+/=] before embedding it in the SSH command string. Note: #2527 (provision.sh base64 validation) was already fixed in a prior commit — the validation at lines 284-289 already rejects non-base64 characters and empty output. Fixes #2526 Agent: security-auditor Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
louisgv
approved these changes
Mar 12, 2026
Member
louisgv
left a comment
louisgv
left a comment
There was a problem hiding this comment.
Security Review
Verdict: APPROVED
Commit: 8149a9d
Findings
No security issues found. The PR adds defense-in-depth validation for base64-encoded SSH commands:
- Validates base64 output matches standard alphabet
[A-Za-z0-9+/=]before passing to SSH - Prevents any corruption from breaking out of single quotes in the SSH exec command
- Well-commented, minimal change with clear security purpose
Tests
- bash -n: PASS
- bun test: N/A (test failure unrelated to this PR - missing module dependency in test suite)
- curl|bash: N/A (file is sourced by E2E harness, not executed via curl|bash)
- macOS compat: OK (uses POSIX-compliant
grep -qE)
Additional Checks
- ✓ No command injection vectors
- ✓ No credential leaks
- ✓ No path traversal risks
- ✓ macOS bash 3.x compatible
- ✓ Follows shell script conventions (no
set -u, proper error handling)
-- security/pr-reviewer
la14-1
pushed a commit
that referenced
this pull request
Mar 12, 2026
…n-depth) Add base64 character validation ([A-Za-z0-9+/=]) before use in SSH command strings for gcp.sh, aws.sh, and hetzner.sh cloud_exec functions -- matching the existing fix in digitalocean.sh (#2528). Also add a validated _encode_b64 helper to soak.sh and use it for all Telegram bot token encoding, preventing corrupted base64 from breaking out of single-quoted SSH command strings. Closes #2527 Agent: security-auditor Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This was referenced Mar 12, 2026
louisgv
added a commit
that referenced
this pull request
Mar 12, 2026
…n-depth) (#2532) Add base64 character validation ([A-Za-z0-9+/=]) before use in SSH command strings for gcp.sh, aws.sh, and hetzner.sh cloud_exec functions -- matching the existing fix in digitalocean.sh (#2528). Also add a validated _encode_b64 helper to soak.sh and use it for all Telegram bot token encoding, preventing corrupted base64 from breaking out of single-quoted SSH command strings. Closes #2527 Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
AhmedTMM
pushed a commit
to AhmedTMM/spawn
that referenced
this pull request
Mar 12, 2026
…th) (OpenRouterTeam#2528) Add explicit base64 character validation in _digitalocean_exec after encoding the command, matching the existing pattern in provision.sh. This ensures the encoded value contains only [A-Za-z0-9+/=] before embedding it in the SSH command string. Note: OpenRouterTeam#2527 (provision.sh base64 validation) was already fixed in a prior commit — the validation at lines 284-289 already rejects non-base64 characters and empty output. Fixes OpenRouterTeam#2526 Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
AhmedTMM
pushed a commit
to AhmedTMM/spawn
that referenced
this pull request
Mar 12, 2026
…n-depth) (OpenRouterTeam#2532) Add base64 character validation ([A-Za-z0-9+/=]) before use in SSH command strings for gcp.sh, aws.sh, and hetzner.sh cloud_exec functions -- matching the existing fix in digitalocean.sh (OpenRouterTeam#2528). Also add a validated _encode_b64 helper to soak.sh and use it for all Telegram bot token encoding, preventing corrupted base64 from breaking out of single-quoted SSH command strings. Closes OpenRouterTeam#2527 Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
AhmedTMM
pushed a commit
to AhmedTMM/spawn
that referenced
this pull request
Mar 13, 2026
…th) (OpenRouterTeam#2528) Add explicit base64 character validation in _digitalocean_exec after encoding the command, matching the existing pattern in provision.sh. This ensures the encoded value contains only [A-Za-z0-9+/=] before embedding it in the SSH command string. Note: OpenRouterTeam#2527 (provision.sh base64 validation) was already fixed in a prior commit — the validation at lines 284-289 already rejects non-base64 characters and empty output. Fixes OpenRouterTeam#2526 Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
AhmedTMM
pushed a commit
to AhmedTMM/spawn
that referenced
this pull request
Mar 13, 2026
…n-depth) (OpenRouterTeam#2532) Add base64 character validation ([A-Za-z0-9+/=]) before use in SSH command strings for gcp.sh, aws.sh, and hetzner.sh cloud_exec functions -- matching the existing fix in digitalocean.sh (OpenRouterTeam#2528). Also add a validated _encode_b64 helper to soak.sh and use it for all Telegram bot token encoding, preventing corrupted base64 from breaking out of single-quoted SSH command strings. Closes OpenRouterTeam#2527 Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
5 tasks
AhmedTMM
pushed a commit
to AhmedTMM/spawn
that referenced
this pull request
Mar 13, 2026
…th) (OpenRouterTeam#2528) Add explicit base64 character validation in _digitalocean_exec after encoding the command, matching the existing pattern in provision.sh. This ensures the encoded value contains only [A-Za-z0-9+/=] before embedding it in the SSH command string. Note: OpenRouterTeam#2527 (provision.sh base64 validation) was already fixed in a prior commit — the validation at lines 284-289 already rejects non-base64 characters and empty output. Fixes OpenRouterTeam#2526 Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
AhmedTMM
pushed a commit
to AhmedTMM/spawn
that referenced
this pull request
Mar 13, 2026
…n-depth) (OpenRouterTeam#2532) Add base64 character validation ([A-Za-z0-9+/=]) before use in SSH command strings for gcp.sh, aws.sh, and hetzner.sh cloud_exec functions -- matching the existing fix in digitalocean.sh (OpenRouterTeam#2528). Also add a validated _encode_b64 helper to soak.sh and use it for all Telegram bot token encoding, preventing corrupted base64 from breaking out of single-quoted SSH command strings. Closes OpenRouterTeam#2527 Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why: Defense-in-depth validation for base64-encoded commands passed via SSH in the E2E DigitalOcean cloud driver.
Changes
Fix #2526 - digitalocean.sh base64 validation
Added explicit validation that
encoded_cmdcontains only[A-Za-z0-9+/=]characters after base64 encoding, before embedding it in the SSH command string. This matches the existing defense-in-depth pattern already present inprovision.sh(lines 284-289).The validation ensures that even if the base64 encoding were somehow corrupted, the value cannot break out of the single-quoted context in the SSH command.
#2527 - provision.sh (already fixed)
The base64 validation described in #2527 already exists in
provision.shat lines 284-289:This was likely fixed in a prior commit. No additional changes needed.
Fixes #2526
-- refactor/security-auditor