fix(security): block startup-file env injection across host execution paths

src/infra/host-env-security.test.ts

@@ -0,0 +1,51 @@
+import { describe, expect, it } from "vitest";
+import { isDangerousHostEnvVarName, sanitizeHostExecEnv } from "./host-env-security.js";
+
+describe("isDangerousHostEnvVarName", () => {
+  it("matches dangerous keys and prefixes case-insensitively", () => {
+    expect(isDangerousHostEnvVarName("BASH_ENV")).toBe(true);
+    expect(isDangerousHostEnvVarName("bash_env")).toBe(true);
+    expect(isDangerousHostEnvVarName("DYLD_INSERT_LIBRARIES")).toBe(true);
+    expect(isDangerousHostEnvVarName("ld_preload")).toBe(true);
+    expect(isDangerousHostEnvVarName("BASH_FUNC_echo%%")).toBe(true);
+    expect(isDangerousHostEnvVarName("PATH")).toBe(false);
+    expect(isDangerousHostEnvVarName("FOO")).toBe(false);
+  });
+});
+
+describe("sanitizeHostExecEnv", () => {
+  it("removes dangerous inherited keys while preserving PATH", () => {
+    const env = sanitizeHostExecEnv({
+      baseEnv: {
+        PATH: "/usr/bin:/bin",
+        BASH_ENV: "/tmp/pwn.sh",
+        LD_PRELOAD: "/tmp/pwn.so",
+        OK: "1",
+      },
+    });
+
+    expect(env).toEqual({
+      PATH: "/usr/bin:/bin",
+      OK: "1",
+    });
+  });
+
+  it("blocks PATH and dangerous override values", () => {
+    const env = sanitizeHostExecEnv({
+      baseEnv: {
+        PATH: "/usr/bin:/bin",
+        HOME: "/tmp/home",
+      },
+      overrides: {
+        PATH: "/tmp/evil",
+        BASH_ENV: "/tmp/pwn.sh",
+        SAFE: "ok",
+      },
+    });
+
+    expect(env.PATH).toBe("/usr/bin:/bin");
+    expect(env.BASH_ENV).toBeUndefined();
+    expect(env.SAFE).toBe("ok");
+    expect(env.HOME).toBe("/tmp/home");
+  });
+});

src/infra/host-env-security.ts

@@ -0,0 +1,74 @@
+const HOST_DANGEROUS_ENV_KEY_VALUES = [
+  "NODE_OPTIONS",
+  "NODE_PATH",
+  "PYTHONHOME",
+  "PYTHONPATH",
+  "PERL5LIB",
+  "PERL5OPT",
+  "RUBYLIB",
+  "RUBYOPT",
+  "BASH_ENV",
+  "ENV",
+  "GCONV_PATH",
+  "IFS",
+  "SSLKEYLOGFILE",
+] as const;
+
+export const HOST_DANGEROUS_ENV_KEYS = new Set<string>(HOST_DANGEROUS_ENV_KEY_VALUES);
+export const HOST_DANGEROUS_ENV_PREFIXES = ["DYLD_", "LD_", "BASH_FUNC_"] as const;
+
+export function isDangerousHostEnvVarName(key: string): boolean {
+  const upper = key.toUpperCase();
+  if (HOST_DANGEROUS_ENV_KEYS.has(upper)) {
+    return true;
+  }
+  return HOST_DANGEROUS_ENV_PREFIXES.some((prefix) => upper.startsWith(prefix));
+}
+
+export function sanitizeHostExecEnv(params?: {
+  baseEnv?: Record<string, string | undefined>;
+  overrides?: Record<string, string> | null;
+  blockPathOverrides?: boolean;
+}): Record<string, string> {
+  const baseEnv = params?.baseEnv ?? process.env;
+  const overrides = params?.overrides ?? undefined;
+  const blockPathOverrides = params?.blockPathOverrides ?? true;
+
+  const merged: Record<string, string> = {};
+  for (const [rawKey, value] of Object.entries(baseEnv)) {
+    if (typeof value !== "string") {
+      continue;
+    }
+    const key = rawKey.trim();
+    if (!key || isDangerousHostEnvVarName(key)) {
+      continue;
+    }
+    merged[key] = value;
+  }
+
+  if (!overrides) {
+    return merged;
+  }
+
+  for (const [rawKey, value] of Object.entries(overrides)) {
+    if (typeof value !== "string") {
+      continue;
+    }
+    const key = rawKey.trim();
+    if (!key) {
+      continue;
+    }
+    const upper = key.toUpperCase();
+    // PATH is part of the security boundary (command resolution + safe-bin checks). Never allow
+    // request-scoped PATH overrides from agents/gateways.
+    if (blockPathOverrides && upper === "PATH") {
+      continue;
+    }
+    if (isDangerousHostEnvVarName(upper)) {
+      continue;
+    }
+    merged[key] = value;
+  }
+
+  return merged;
+}