fix(exec): block dangerous override-only env pivots

2026-03-12 07:20:45 +00:00 · 2026-03-07 19:17:59 +00:00
parent 6aa80844b8
commit e27bbe4982
8 changed files with 155 additions and 5 deletions
--- a/apps/macos/Sources/OpenClaw/HostEnvSanitizer.swift
+++ b/apps/macos/Sources/OpenClaw/HostEnvSanitizer.swift
@@ -6,6 +6,7 @@ enum HostEnvSanitizer {
    private static let blockedKeys = HostEnvSecurityPolicy.blockedKeys
    private static let blockedPrefixes = HostEnvSecurityPolicy.blockedPrefixes
    private static let blockedOverrideKeys = HostEnvSecurityPolicy.blockedOverrideKeys
+    private static let blockedOverridePrefixes = HostEnvSecurityPolicy.blockedOverridePrefixes
    private static let shellWrapperAllowedOverrideKeys: Set<String> = [
        "TERM",
        "LANG",
@@ -22,6 +23,11 @@ enum HostEnvSanitizer {
        return self.blockedPrefixes.contains(where: { upperKey.hasPrefix($0) })
    }

+    private static func isBlockedOverride(_ upperKey: String) -> Bool {
+        if self.blockedOverrideKeys.contains(upperKey) { return true }
+        return self.blockedOverridePrefixes.contains(where: { upperKey.hasPrefix($0) })
+    }
+
    private static func filterOverridesForShellWrapper(_ overrides: [String: String]?) -> [String: String]? {
        guard let overrides else { return nil }
        var filtered: [String: String] = [:]
@@ -57,7 +63,7 @@ enum HostEnvSanitizer {
            // PATH is part of the security boundary (command resolution + safe-bin checks). Never
            // allow request-scoped PATH overrides from agents/gateways.
            if upper == "PATH" { continue }
-            if self.blockedOverrideKeys.contains(upper) { continue }
+            if self.isBlockedOverride(upper) { continue }
            if self.isBlocked(upper) { continue }
            merged[key] = value
        }
--- a/apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift
+++ b/apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift
@@ -27,7 +27,35 @@ enum HostEnvSecurityPolicy {

    static let blockedOverrideKeys: Set<String> = [
        "HOME",
-        "ZDOTDIR"
+        "ZDOTDIR",
+        "GIT_SSH_COMMAND",
+        "GIT_SSH",
+        "GIT_PROXY_COMMAND",
+        "GIT_ASKPASS",
+        "SSH_ASKPASS",
+        "LESSOPEN",
+        "LESSCLOSE",
+        "PAGER",
+        "MANPAGER",
+        "GIT_PAGER",
+        "EDITOR",
+        "VISUAL",
+        "FCEDIT",
+        "SUDO_EDITOR",
+        "PROMPT_COMMAND",
+        "HISTFILE",
+        "PERL5DB",
+        "PERL5DBCMD",
+        "OPENSSL_CONF",
+        "OPENSSL_ENGINES",
+        "PYTHONSTARTUP",
+        "WGETRC",
+        "CURL_HOME"
+    ]
+
+    static let blockedOverridePrefixes: [String] = [
+        "GIT_CONFIG_",
+        "NPM_CONFIG_"
    ]

    static let blockedPrefixes: [String] = [