github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-19 08:58:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): block HOME and ZDOTDIR env override injection

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-22 09:41:55 +01:00
parent ccc00d874c
commit c2c7114ed3
6 changed files with 55 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
apps/macos/Sources/OpenClaw/HostEnvSanitizer.swift
View File

@@ -25,6 +25,10 @@ enum HostEnvSanitizer {
"LD_",
"BASH_FUNC_",
]
private static let blockedOverrideKeys: Set<String> = [
"HOME",
"ZDOTDIR",
]
private static func isBlocked(_ upperKey: String) -> Bool {
if self.blockedKeys.contains(upperKey) { return true }
@@ -49,6 +53,7 @@ enum HostEnvSanitizer {
// PATH is part of the security boundary (command resolution + safe-bin checks). Never
// allow request-scoped PATH overrides from agents/gateways.
if upper == "PATH" { continue }
if self.blockedOverrideKeys.contains(upper) { continue }
if self.isBlocked(upper) { continue }
merged[key] = value
}