github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-05 21:39:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): enforce strict environment variable validation in exec tool (#4896)

Browse Source
This commit is contained in:
Hasan FLeyah
2026-02-02 02:36:24 +03:00
committed by GitHub
parent b796f6ec01
commit 0a5821a811
2 changed files with 62 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/agents/bash-tools.exec.path.test.ts
View File

@@ -86,7 +86,7 @@ describe("exec PATH login shell merge", () => {
expect(shellPathMock).toHaveBeenCalledTimes(1);
});
it("skips login-shell PATH when env.PATH is provided", async () => {
it("throws security violation when env.PATH is provided", async () => {
if (isWin) {
return;
}
@@ -98,13 +98,14 @@ describe("exec PATH login shell merge", () => {
shellPathMock.mockClear();
const tool = createExecTool({ host: "gateway", security: "full", ask: "off" });
const result = await tool.execute("call1", {
command: "echo $PATH",
env: { PATH: "/explicit/bin" },
});
const entries = normalizePathEntries(result.content.find((c) => c.type === "text")?.text);
expect(entries).toEqual(["/explicit/bin"]);
await expect(
tool.execute("call1", {
command: "echo $PATH",
env: { PATH: "/explicit/bin" },
}),
).rejects.toThrow(/Security Violation: Custom 'PATH' variable is forbidden/);
expect(shellPathMock).not.toHaveBeenCalled();
});
});