github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 10:01:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): block startup-file env injection across host execution paths

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-21 11:43:53 +01:00
parent 6b2f2811dc
commit 2cdbadee1f
13 changed files with 318 additions and 147 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
src/config/config.env-vars.test.ts
View File

@@ -3,7 +3,7 @@ import path from "node:path";
import { describe, expect, it } from "vitest";
import { loadDotEnv } from "../infra/dotenv.js";
import { resolveConfigEnvVars } from "./env-substitution.js";
import { applyConfigEnvVars } from "./env-vars.js";
import { applyConfigEnvVars, collectConfigEnvVars } from "./env-vars.js";
import { withEnvOverride, withTempHome } from "./test-helpers.js";
import type { OpenClawConfig } from "./types.js";
@@ -29,6 +29,21 @@ describe("config env vars", () => {
});
});
it("blocks dangerous startup env vars from config env", async () => {
await withEnvOverride({ BASH_ENV: undefined, OPENROUTER_API_KEY: undefined }, async () => {
const config = {
env: { vars: { BASH_ENV: "/tmp/pwn.sh", OPENROUTER_API_KEY: "config-key" } },
};
const entries = collectConfigEnvVars(config as OpenClawConfig);
expect(entries.BASH_ENV).toBeUndefined();
expect(entries.OPENROUTER_API_KEY).toBe("config-key");
applyConfigEnvVars(config as OpenClawConfig);
expect(process.env.BASH_ENV).toBeUndefined();
expect(process.env.OPENROUTER_API_KEY).toBe("config-key");
});
});
it("loads ${VAR} substitutions from ~/.openclaw/.env on repeated runtime loads", async () => {
await withTempHome(async (_home) => {
await withEnvOverride({ BRAVE_API_KEY: undefined }, async () => {