refactor(security): centralize host env policy and harden env ingestion

src/infra/host-env-security-policy.json

@@ -0,0 +1,18 @@
+{
+  "blockedKeys": [
+    "NODE_OPTIONS",
+    "NODE_PATH",
+    "PYTHONHOME",
+    "PYTHONPATH",
+    "PERL5LIB",
+    "PERL5OPT",
+    "RUBYLIB",
+    "RUBYOPT",
+    "BASH_ENV",
+    "ENV",
+    "GCONV_PATH",
+    "IFS",
+    "SSLKEYLOGFILE"
+  ],
+  "blockedPrefixes": ["DYLD_", "LD_", "BASH_FUNC_"]
+}

src/infra/host-env-security.policy-parity.test.ts

@@ -0,0 +1,38 @@
+import fs from "node:fs";
+import path from "node:path";
+import { describe, expect, it } from "vitest";
+
+type HostEnvSecurityPolicy = {
+  blockedKeys: string[];
+  blockedPrefixes: string[];
+};
+
+function parseSwiftStringArray(source: string, marker: string): string[] {
+  const escapedMarker = marker.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  const re = new RegExp(`${escapedMarker}[\\s\\S]*?=\\s*\\[([\\s\\S]*?)\\]`, "m");
+  const match = source.match(re);
+  if (!match) {
+    throw new Error(`Failed to parse Swift array for marker: ${marker}`);
+  }
+  return Array.from(match[1].matchAll(/"([^"]+)"/g), (m) => m[1]);
+}
+
+describe("host env security policy parity", () => {
+  it("keeps macOS HostEnvSanitizer lists in sync with shared JSON policy", () => {
+    const repoRoot = process.cwd();
+    const policyPath = path.join(repoRoot, "src/infra/host-env-security-policy.json");
+    const swiftPath = path.join(repoRoot, "apps/macos/Sources/OpenClaw/HostEnvSanitizer.swift");
+
+    const policy = JSON.parse(fs.readFileSync(policyPath, "utf8")) as HostEnvSecurityPolicy;
+    const swiftSource = fs.readFileSync(swiftPath, "utf8");
+
+    const swiftBlockedKeys = parseSwiftStringArray(swiftSource, "private static let blockedKeys");
+    const swiftBlockedPrefixes = parseSwiftStringArray(
+      swiftSource,
+      "private static let blockedPrefixes",
+    );
+
+    expect(swiftBlockedKeys).toEqual(policy.blockedKeys);
+    expect(swiftBlockedPrefixes).toEqual(policy.blockedPrefixes);
+  });
+});

src/infra/host-env-security.test.ts

@@ -1,5 +1,9 @@
 import { describe, expect, it } from "vitest";
-import { isDangerousHostEnvVarName, sanitizeHostExecEnv } from "./host-env-security.js";
+import {
+  isDangerousHostEnvVarName,
+  normalizeEnvVarKey,
+  sanitizeHostExecEnv,
+} from "./host-env-security.js";
 
 describe("isDangerousHostEnvVarName", () => {
   it("matches dangerous keys and prefixes case-insensitively", () => {
@@ -48,4 +52,30 @@ describe("sanitizeHostExecEnv", () => {
     expect(env.SAFE).toBe("ok");
     expect(env.HOME).toBe("/tmp/home");
   });
+
+  it("drops non-portable env key names", () => {
+    const env = sanitizeHostExecEnv({
+      baseEnv: {
+        PATH: "/usr/bin:/bin",
+      },
+      overrides: {
+        " BAD KEY": "x",
+        "NOT-PORTABLE": "x",
+        GOOD_KEY: "ok",
+      },
+    });
+
+    expect(env.GOOD_KEY).toBe("ok");
+    expect(env[" BAD KEY"]).toBeUndefined();
+    expect(env["NOT-PORTABLE"]).toBeUndefined();
+  });
+});
+
+describe("normalizeEnvVarKey", () => {
+  it("normalizes and validates keys", () => {
+    expect(normalizeEnvVarKey(" OPENROUTER_API_KEY ")).toBe("OPENROUTER_API_KEY");
+    expect(normalizeEnvVarKey("NOT-PORTABLE", { portable: true })).toBeNull();
+    expect(normalizeEnvVarKey(" BASH_FUNC_echo%% ")).toBe("BASH_FUNC_echo%%");
+    expect(normalizeEnvVarKey("   ")).toBeNull();
+  });
 });

src/infra/host-env-security.ts

@@ -1,23 +1,41 @@
-const HOST_DANGEROUS_ENV_KEY_VALUES = [
-  "NODE_OPTIONS",
-  "NODE_PATH",
-  "PYTHONHOME",
-  "PYTHONPATH",
-  "PERL5LIB",
-  "PERL5OPT",
-  "RUBYLIB",
-  "RUBYOPT",
-  "BASH_ENV",
-  "ENV",
-  "GCONV_PATH",
-  "IFS",
-  "SSLKEYLOGFILE",
-] as const;
+import HOST_ENV_SECURITY_POLICY_JSON from "./host-env-security-policy.json" with { type: "json" };
 
+const PORTABLE_ENV_VAR_KEY = /^[A-Za-z_][A-Za-z0-9_]*$/;
+
+type HostEnvSecurityPolicy = {
+  blockedKeys: string[];
+  blockedPrefixes: string[];
+};
+
+const HOST_ENV_SECURITY_POLICY = HOST_ENV_SECURITY_POLICY_JSON as HostEnvSecurityPolicy;
+
+export const HOST_DANGEROUS_ENV_KEY_VALUES: readonly string[] = Object.freeze(
+  HOST_ENV_SECURITY_POLICY.blockedKeys.map((key) => key.toUpperCase()),
+);
+export const HOST_DANGEROUS_ENV_PREFIXES: readonly string[] = Object.freeze(
+  HOST_ENV_SECURITY_POLICY.blockedPrefixes.map((prefix) => prefix.toUpperCase()),
+);
 export const HOST_DANGEROUS_ENV_KEYS = new Set<string>(HOST_DANGEROUS_ENV_KEY_VALUES);
-export const HOST_DANGEROUS_ENV_PREFIXES = ["DYLD_", "LD_", "BASH_FUNC_"] as const;
 
-export function isDangerousHostEnvVarName(key: string): boolean {
+export function normalizeEnvVarKey(
+  rawKey: string,
+  options?: { portable?: boolean },
+): string | null {
+  const key = rawKey.trim();
+  if (!key) {
+    return null;
+  }
+  if (options?.portable && !PORTABLE_ENV_VAR_KEY.test(key)) {
+    return null;
+  }
+  return key;
+}
+
+export function isDangerousHostEnvVarName(rawKey: string): boolean {
+  const key = normalizeEnvVarKey(rawKey);
+  if (!key) {
+    return false;
+  }
   const upper = key.toUpperCase();
   if (HOST_DANGEROUS_ENV_KEYS.has(upper)) {
     return true;
@@ -39,7 +57,7 @@ export function sanitizeHostExecEnv(params?: {
     if (typeof value !== "string") {
       continue;
     }
-    const key = rawKey.trim();
+    const key = normalizeEnvVarKey(rawKey, { portable: true });
     if (!key || isDangerousHostEnvVarName(key)) {
       continue;
     }
@@ -54,7 +72,7 @@ export function sanitizeHostExecEnv(params?: {
     if (typeof value !== "string") {
       continue;
     }
-    const key = rawKey.trim();
+    const key = normalizeEnvVarKey(rawKey, { portable: true });
     if (!key) {
       continue;
     }