fix(security): block startup-file env injection across host execution paths

2026-05-09 04:07:39 +00:00 · 2026-02-21 11:43:53 +01:00
parent 6b2f2811dc
commit 2cdbadee1f
13 changed files with 318 additions and 147 deletions
--- a/src/agents/skills.e2e.test.ts
+++ b/src/agents/skills.e2e.test.ts
@@ -351,6 +351,50 @@ describe("applySkillEnvOverrides", () => {
    }
  });

+  it("blocks dangerous host env overrides even when declared", async () => {
+    const workspaceDir = await makeWorkspace();
+    const skillDir = path.join(workspaceDir, "skills", "dangerous-env-skill");
+    await writeSkill({
+      dir: skillDir,
+      name: "dangerous-env-skill",
+      description: "Needs env",
+      metadata: '{"openclaw":{"requires":{"env":["BASH_ENV"]}}}',
+    });
+
+    const entries = loadWorkspaceSkillEntries(workspaceDir, {
+      managedSkillsDir: path.join(workspaceDir, ".managed"),
+    });
+
+    const originalBashEnv = process.env.BASH_ENV;
+    delete process.env.BASH_ENV;
+
+    const restore = applySkillEnvOverrides({
+      skills: entries,
+      config: {
+        skills: {
+          entries: {
+            "dangerous-env-skill": {
+              env: {
+                BASH_ENV: "/tmp/pwn.sh",
+              },
+            },
+          },
+        },
+      },
+    });
+
+    try {
+      expect(process.env.BASH_ENV).toBeUndefined();
+    } finally {
+      restore();
+      if (originalBashEnv === undefined) {
+        expect(process.env.BASH_ENV).toBeUndefined();
+      } else {
+        expect(process.env.BASH_ENV).toBe(originalBashEnv);
+      }
+    }
+  });
+
  it("allows required env overrides from snapshots", async () => {
    const workspaceDir = await makeWorkspace();
    const skillDir = path.join(workspaceDir, "skills", "snapshot-env-skill");