diff --git a/src/agents/sandbox/docker.ts b/src/agents/sandbox/docker.ts index be3175b79f8..6964a968b4e 100644 --- a/src/agents/sandbox/docker.ts +++ b/src/agents/sandbox/docker.ts @@ -1,4 +1,5 @@ import { spawn } from "node:child_process"; +import { sanitizeEnvVars } from "./sanitize-env-vars.js"; type ExecDockerRawOptions = { allowFailure?: boolean; @@ -104,13 +105,13 @@ export function execDockerRaw( }); } +import type { SandboxConfig, SandboxDockerConfig, SandboxWorkspaceAccess } from "./types.js"; import { formatCliCommand } from "../../cli/command-format.js"; import { defaultRuntime } from "../../runtime.js"; import { computeSandboxConfigHash } from "./config-hash.js"; import { DEFAULT_SANDBOX_IMAGE, SANDBOX_AGENT_WORKSPACE_MOUNT } from "./constants.js"; import { readRegistry, updateRegistry } from "./registry.js"; import { resolveSandboxAgentId, resolveSandboxScopeKey, slugifySessionKey } from "./shared.js"; -import type { SandboxConfig, SandboxDockerConfig, SandboxWorkspaceAccess } from "./types.js"; import { validateSandboxSecurity } from "./validate-sandbox-security.js"; const HOT_CONTAINER_WINDOW_MS = 5 * 60 * 1000; @@ -269,11 +270,18 @@ export function buildSandboxCreateArgs(params: { if (params.cfg.user) { args.push("--user", params.cfg.user); } - for (const [key, value] of Object.entries(params.cfg.env ?? {})) { - if (!key.trim()) { - continue; - } - args.push("--env", key + "=" + value); + const envSanitization = sanitizeEnvVars(params.cfg.env ?? {}); + if (envSanitization.blocked.length > 0) { + console.warn( + "[Security] Blocked sensitive environment variables:", + envSanitization.blocked.join(", "), + ); + } + if (envSanitization.warnings.length > 0) { + console.warn("[Security] Suspicious environment variables:", envSanitization.warnings); + } + for (const [key, value] of Object.entries(envSanitization.allowed)) { + args.push("--env", `${key}=${value}`); } for (const cap of params.cfg.capDrop) { args.push("--cap-drop", cap);