github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 17:04:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(security): centralize host env policy and harden env ingestion

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-21 13:04:34 +01:00
parent 08e020881d
commit f202e73077
10 changed files with 201 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
src/config/env-vars.ts
View File

@@ -1,7 +1,7 @@
import { isDangerousHostEnvVarName } from "../infra/host-env-security.js";
import { isDangerousHostEnvVarName, normalizeEnvVarKey } from "../infra/host-env-security.js";
import type { OpenClawConfig } from "./types.js";
export function collectConfigEnvVars(cfg?: OpenClawConfig): Record<string, string> {
function collectConfigEnvVarsByTarget(cfg?: OpenClawConfig): Record<string, string> {
const envConfig = cfg?.env;
if (!envConfig) {
return {};
@@ -10,10 +10,14 @@ export function collectConfigEnvVars(cfg?: OpenClawConfig): Record<string, strin
const entries: Record<string, string> = {};
if (envConfig.vars) {
for (const [key, value] of Object.entries(envConfig.vars)) {
for (const [rawKey, value] of Object.entries(envConfig.vars)) {
if (!value) {
continue;
}
const key = normalizeEnvVarKey(rawKey, { portable: true });
if (!key) {
continue;
}
if (isDangerousHostEnvVarName(key)) {
continue;
}
@@ -21,13 +25,17 @@ export function collectConfigEnvVars(cfg?: OpenClawConfig): Record<string, strin
}
}
for (const [key, value] of Object.entries(envConfig)) {
if (key === "shellEnv" || key === "vars") {
for (const [rawKey, value] of Object.entries(envConfig)) {
if (rawKey === "shellEnv" || rawKey === "vars") {
continue;
}
if (typeof value !== "string" || !value.trim()) {
continue;
}
const key = normalizeEnvVarKey(rawKey, { portable: true });
if (!key) {
continue;
}
if (isDangerousHostEnvVarName(key)) {
continue;
}
@@ -37,11 +45,24 @@ export function collectConfigEnvVars(cfg?: OpenClawConfig): Record<string, strin
return entries;
}
export function collectConfigRuntimeEnvVars(cfg?: OpenClawConfig): Record<string, string> {
return collectConfigEnvVarsByTarget(cfg);
}
export function collectConfigServiceEnvVars(cfg?: OpenClawConfig): Record<string, string> {
return collectConfigEnvVarsByTarget(cfg);
}
/** @deprecated Use `collectConfigRuntimeEnvVars` or `collectConfigServiceEnvVars`. */
export function collectConfigEnvVars(cfg?: OpenClawConfig): Record<string, string> {
return collectConfigRuntimeEnvVars(cfg);
}
export function applyConfigEnvVars(
cfg: OpenClawConfig,
env: NodeJS.ProcessEnv = process.env,
): void {
const entries = collectConfigEnvVars(cfg);
const entries = collectConfigRuntimeEnvVars(cfg);
for (const [key, value] of Object.entries(entries)) {
if (env[key]?.trim()) {
continue;