fix(security): block HOME and ZDOTDIR env override injection

src/infra/host-env-security.ts

@@ -4,6 +4,7 @@ const PORTABLE_ENV_VAR_KEY = /^[A-Za-z_][A-Za-z0-9_]*$/;
 
 type HostEnvSecurityPolicy = {
   blockedKeys: string[];
+  blockedOverrideKeys?: string[];
   blockedPrefixes: string[];
 };
 
@@ -15,7 +16,13 @@ export const HOST_DANGEROUS_ENV_KEY_VALUES: readonly string[] = Object.freeze(
 export const HOST_DANGEROUS_ENV_PREFIXES: readonly string[] = Object.freeze(
   HOST_ENV_SECURITY_POLICY.blockedPrefixes.map((prefix) => prefix.toUpperCase()),
 );
+export const HOST_DANGEROUS_OVERRIDE_ENV_KEY_VALUES: readonly string[] = Object.freeze(
+  (HOST_ENV_SECURITY_POLICY.blockedOverrideKeys ?? []).map((key) => key.toUpperCase()),
+);
 export const HOST_DANGEROUS_ENV_KEYS = new Set<string>(HOST_DANGEROUS_ENV_KEY_VALUES);
+export const HOST_DANGEROUS_OVERRIDE_ENV_KEYS = new Set<string>(
+  HOST_DANGEROUS_OVERRIDE_ENV_KEY_VALUES,
+);
 
 export function normalizeEnvVarKey(
   rawKey: string,
@@ -43,6 +50,14 @@ export function isDangerousHostEnvVarName(rawKey: string): boolean {
   return HOST_DANGEROUS_ENV_PREFIXES.some((prefix) => upper.startsWith(prefix));
 }
 
+export function isDangerousHostEnvOverrideVarName(rawKey: string): boolean {
+  const key = normalizeEnvVarKey(rawKey);
+  if (!key) {
+    return false;
+  }
+  return HOST_DANGEROUS_OVERRIDE_ENV_KEYS.has(key.toUpperCase());
+}
+
 export function sanitizeHostExecEnv(params?: {
   baseEnv?: Record<string, string | undefined>;
   overrides?: Record<string, string> | null;
@@ -82,7 +97,7 @@ export function sanitizeHostExecEnv(params?: {
     if (blockPathOverrides && upper === "PATH") {
       continue;
     }
-    if (isDangerousHostEnvVarName(upper)) {
+    if (isDangerousHostEnvVarName(upper) || isDangerousHostEnvOverrideVarName(upper)) {
       continue;
     }
     merged[key] = value;