refactor(security): centralize host env policy and harden env ingestion

2026-05-09 05:37:41 +00:00 · 2026-02-21 13:04:34 +01:00
parent 08e020881d
commit f202e73077
10 changed files with 201 additions and 31 deletions
--- a/src/infra/host-env-security-policy.json
+++ b/src/infra/host-env-security-policy.json
@@ -0,0 +1,18 @@
+{
+  "blockedKeys": [
+    "NODE_OPTIONS",
+    "NODE_PATH",
+    "PYTHONHOME",
+    "PYTHONPATH",
+    "PERL5LIB",
+    "PERL5OPT",
+    "RUBYLIB",
+    "RUBYOPT",
+    "BASH_ENV",
+    "ENV",
+    "GCONV_PATH",
+    "IFS",
+    "SSLKEYLOGFILE"
+  ],
+  "blockedPrefixes": ["DYLD_", "LD_", "BASH_FUNC_"]
+}