vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-05 12:20:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): block HOME and ZDOTDIR env override injection

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-22 09:41:55 +01:00
parent ccc00d874c
commit c2c7114ed3
6 changed files with 55 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/node-host/invoke.sanitize-env.test.ts
View File

@@ -26,6 +26,17 @@ describe("node-host sanitizeEnv", () => {
});
});
it("blocks dangerous override-only env keys", () => {
withEnv({ HOME: "/Users/trusted", ZDOTDIR: "/Users/trusted/.zdot" }, () => {
const env = sanitizeEnv({
HOME: "/tmp/evil-home",
ZDOTDIR: "/tmp/evil-zdotdir",
});
expect(env.HOME).toBe("/Users/trusted");
expect(env.ZDOTDIR).toBe("/Users/trusted/.zdot");
});
});
it("drops dangerous inherited env keys even without overrides", () => {
withEnv({ PATH: "/usr/bin:/bin", BASH_ENV: "/tmp/pwn.sh" }, () => {
const env = sanitizeEnv(undefined);