vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-16 19:51:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(infra): expand host env security policy denylist [AI] (#63277)

Browse Source 
* fix: address issue

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: close host env inherited sanitization gap

* fix: enforce host env reported baseline coverage

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* docs: add changelog entry for PR merge
This commit is contained in:
Pavan Kumar Gondhi
2026-04-10 11:36:39 +05:30
committed by GitHub
parent 71617ef2f0
commit 2d126fc623
13 changed files with 1165 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/agents/bash-tools.exec-runtime.ts
View File

@@ -9,7 +9,7 @@ import {
type ExecTarget,
} from "../infra/exec-approvals.js";
import { requestHeartbeatNow } from "../infra/heartbeat-wake.js";
import { isDangerousHostEnvVarName } from "../infra/host-env-security.js";
import { isDangerousHostInheritedEnvVarName } from "../infra/host-env-security.js";
import { findPathKey, mergePathPrepend } from "../infra/path-prepend.js";
import { enqueueSystemEvent } from "../infra/system-events.js";
import { scopedHeartbeatWakeOptions } from "../routing/session-key.js";
@@ -72,7 +72,7 @@ export function sanitizeHostBaseEnv(env: Record<string, string>): Record<string,
sanitized[key] = value;
continue;
}
if (isDangerousHostEnvVarName(upperKey)) {
if (isDangerousHostInheritedEnvVarName(upperKey)) {
continue;
}
sanitized[key] = value;
@@ -86,7 +86,7 @@ export function validateHostEnv(env: Record<string, string>): void {
const upperKey = key.toUpperCase();
// 1. Block known dangerous variables (Fail Closed)
if (isDangerousHostEnvVarName(upperKey)) {
if (isDangerousHostInheritedEnvVarName(upperKey)) {
throw new Error(
`Security Violation: Environment variable '${key}' is forbidden during host execution.`,
);