Sandbox: sanitize SSH subprocess env (#57848)

* Sandbox: sanitize SSH subprocess env * Sandbox: add sanitize env undefined test
2026-04-20 05:31:30 +00:00 · 2026-03-30 12:05:57 -07:00
parent f0af186726
commit cfe1445953
12 changed files with 1005 additions and 320 deletions
--- a/extensions/openshell/src/backend.test.ts
+++ b/extensions/openshell/src/backend.test.ts
@@ -0,0 +1,29 @@
+import { afterEach, describe, expect, it } from "vitest";
+import { buildOpenShellSshExecEnv } from "./backend.js";
+
+describe("openshell backend env", () => {
+  const originalEnv = { ...process.env };
+
+  afterEach(() => {
+    for (const key of Object.keys(process.env)) {
+      if (!(key in originalEnv)) {
+        delete process.env[key];
+      }
+    }
+    Object.assign(process.env, originalEnv);
+  });
+
+  it("filters blocked secrets from ssh exec env", () => {
+    process.env.OPENAI_API_KEY = "sk-test-secret";
+    process.env.ANTHROPIC_API_KEY = "sk-ant-test-secret";
+    process.env.LANG = "en_US.UTF-8";
+    process.env.NODE_ENV = "test";
+
+    const env = buildOpenShellSshExecEnv();
+
+    expect(env.OPENAI_API_KEY).toBeUndefined();
+    expect(env.ANTHROPIC_API_KEY).toBeUndefined();
+    expect(env.LANG).toBe("en_US.UTF-8");
+    expect(env.NODE_ENV).toBe("test");
+  });
+});
--- a/extensions/openshell/src/backend.ts
+++ b/extensions/openshell/src/backend.ts
@@ -17,6 +17,7 @@ import {
  disposeSshSandboxSession,
  resolvePreferredOpenClawTmpDir,
  runSshSandboxCommand,
+  sanitizeEnvVars,
 } from "openclaw/plugin-sdk/sandbox";
 import {
  buildExecRemoteCommand,
@@ -41,6 +42,10 @@ type PendingExec = {
  sshSession: SshSandboxSession;
 };

+export function buildOpenShellSshExecEnv(): NodeJS.ProcessEnv {
+  return sanitizeEnvVars(process.env).allowed;
+}
+
 export type OpenShellSandboxBackend = SandboxBackendHandle &
  RemoteShellSandboxHandle & {
    mode: "mirror" | "remote";
@@ -123,7 +128,7 @@ async function createOpenShellSandboxBackend(params: {
      const pending = await impl.prepareExec({ command, workdir, env, usePty });
      return {
        argv: pending.argv,
-        env: process.env,
+        env: buildOpenShellSshExecEnv(),
        stdinMode: "pipe-open",
        finalizeToken: pending.token,
      };
@@ -180,7 +185,7 @@ class OpenShellSandboxBackendImpl {
        const pending = await self.prepareExec({ command, workdir, env, usePty });
        return {
          argv: pending.argv,
-          env: process.env,
+          env: buildOpenShellSshExecEnv(),
          stdinMode: "pipe-open",
          finalizeToken: pending.token,
        };