fix(infra): block workspace state-directory env override [AI] (#75940)

* fix: block workspace state directory env override * docs: add changelog entry for PR merge
2026-05-06 07:00:43 +00:00 · 2026-05-02 14:17:42 +05:30
parent 089a3063ee
commit 42dfc36da5
3 changed files with 11 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -30,6 +30,7 @@ Docs: https://docs.openclaw.ai

 ### Fixes

+- fix(infra): block workspace state-directory env override [AI]. (#75940) Thanks @pgondhi987.
 - TTS: honor explicit short `[[tts:text]]...[[/tts:text]]` blocks while keeping untagged short auto-TTS suppressed, so tagged voice replies are synthesized instead of being dropped as empty voice-only payloads. Fixes #73758. Thanks @yfge.
 - Proxy/audio: convert standard `FormData` bodies before proxy-backed undici fetches, so audio transcription and multipart uploads no longer send `[object FormData]` when `HTTP_PROXY` or `HTTPS_PROXY` is configured. Fixes #48554. Thanks @dco5.
 - Gateway/diagnostics: include a bounded redacted startup error message in stability bundles, so crash-loop reports identify the failing plugin or contract without exposing secrets. Refs #75797. Thanks @ymebosma.
--- a/src/infra/dotenv.test.ts
+++ b/src/infra/dotenv.test.ts
@@ -299,20 +299,26 @@ describe("loadDotEnv", () => {
    });
  });

-  it("blocks OPENCLAW_STATE_DIR from workspace .env even when unset in process env", async () => {
+  it("blocks state-directory controls from workspace .env even when unset in process env", async () => {
    await withIsolatedEnvAndCwd(async () => {
      await withDotEnvFixture(async ({ cwdDir }) => {
        await writeEnvFile(
          path.join(cwdDir, ".env"),
-          "OPENCLAW_STATE_DIR=./evil-state\nOPENCLAW_CONFIG_PATH=./evil-config.json\n",
+          [
+            "OPENCLAW_STATE_DIR=./evil-state",
+            "STATE_DIRECTORY=./evil-systemd-state",
+            "OPENCLAW_CONFIG_PATH=./evil-config.json",
+          ].join("\n"),
        );

        delete process.env.OPENCLAW_STATE_DIR;
+        delete process.env.STATE_DIRECTORY;
        delete process.env.OPENCLAW_CONFIG_PATH;

        loadWorkspaceDotEnvFile(path.join(cwdDir, ".env"), { quiet: true });

        expect(process.env.OPENCLAW_STATE_DIR).toBeUndefined();
+        expect(process.env.STATE_DIRECTORY).toBeUndefined();
        expect(process.env.OPENCLAW_CONFIG_PATH).toBeUndefined();
      });
    });
@@ -732,6 +738,7 @@ describe("workspace .env blocklist completeness", () => {
          "ProgramFiles",
          "ProgramFiles(x86)",
          "ProgramW6432",
+          "STATE_DIRECTORY",
          "SYNOLOGY_CHAT_INCOMING_URL",
          "SYNOLOGY_NAS_HOST",
        ];
--- a/src/infra/dotenv.ts
+++ b/src/infra/dotenv.ts
@@ -81,6 +81,7 @@ const BLOCKED_WORKSPACE_DOTENV_KEYS = new Set([
  "PROGRAMFILES",
  "PROGRAMFILES(X86)",
  "PROGRAMW6432",
+  "STATE_DIRECTORY",
  "SYNOLOGY_CHAT_INCOMING_URL",
  "SYNOLOGY_NAS_HOST",
  "SYSTEMROOT",