fix(security): harden shell env fallback startup env handling

2026-05-09 16:14:31 +00:00 · 2026-02-22 16:06:11 +01:00
parent ab1840b881
commit 9363c320d8
5 changed files with 110 additions and 7 deletions
--- a/src/config/env-vars.ts
+++ b/src/config/env-vars.ts
@@ -1,6 +1,14 @@
-import { isDangerousHostEnvVarName, normalizeEnvVarKey } from "../infra/host-env-security.js";
+import {
+  isDangerousHostEnvOverrideVarName,
+  isDangerousHostEnvVarName,
+  normalizeEnvVarKey,
+} from "../infra/host-env-security.js";
 import type { OpenClawConfig } from "./types.js";

+function isBlockedConfigEnvVar(key: string): boolean {
+  return isDangerousHostEnvVarName(key) || isDangerousHostEnvOverrideVarName(key);
+}
+
 function collectConfigEnvVarsByTarget(cfg?: OpenClawConfig): Record<string, string> {
  const envConfig = cfg?.env;
  if (!envConfig) {
@@ -18,7 +26,7 @@ function collectConfigEnvVarsByTarget(cfg?: OpenClawConfig): Record<string, stri
      if (!key) {
        continue;
      }
-      if (isDangerousHostEnvVarName(key)) {
+      if (isBlockedConfigEnvVar(key)) {
        continue;
      }
      entries[key] = value;
@@ -36,7 +44,7 @@ function collectConfigEnvVarsByTarget(cfg?: OpenClawConfig): Record<string, stri
    if (!key) {
      continue;
    }
-    if (isDangerousHostEnvVarName(key)) {
+    if (isBlockedConfigEnvVar(key)) {
      continue;
    }
    entries[key] = value;