github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 17:44:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): block startup-file env injection across host execution paths

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-21 11:43:53 +01:00
parent 6b2f2811dc
commit 2cdbadee1f
13 changed files with 318 additions and 147 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/config/env-vars.ts
View File

@@ -1,3 +1,4 @@
import { isDangerousHostEnvVarName } from "../infra/host-env-security.js";
import type { OpenClawConfig } from "./types.js";
export function collectConfigEnvVars(cfg?: OpenClawConfig): Record<string, string> {
@@ -13,6 +14,9 @@ export function collectConfigEnvVars(cfg?: OpenClawConfig): Record<string, strin
if (!value) {
continue;
}
if (isDangerousHostEnvVarName(key)) {
continue;
}
entries[key] = value;
}
}
@@ -24,6 +28,9 @@ export function collectConfigEnvVars(cfg?: OpenClawConfig): Record<string, strin
if (typeof value !== "string" || !value.trim()) {
continue;
}
if (isDangerousHostEnvVarName(key)) {
continue;
}
entries[key] = value;
}