refactor(security): centralize host env policy and harden env ingestion

2026-05-08 22:58:26 +00:00 · 2026-02-21 13:04:34 +01:00
parent 08e020881d
commit f202e73077
10 changed files with 201 additions and 31 deletions
--- a/src/infra/host-env-security.test.ts
+++ b/src/infra/host-env-security.test.ts
@@ -1,5 +1,9 @@
 import { describe, expect, it } from "vitest";
-import { isDangerousHostEnvVarName, sanitizeHostExecEnv } from "./host-env-security.js";
+import {
+  isDangerousHostEnvVarName,
+  normalizeEnvVarKey,
+  sanitizeHostExecEnv,
+} from "./host-env-security.js";

 describe("isDangerousHostEnvVarName", () => {
  it("matches dangerous keys and prefixes case-insensitively", () => {
@@ -48,4 +52,30 @@ describe("sanitizeHostExecEnv", () => {
    expect(env.SAFE).toBe("ok");
    expect(env.HOME).toBe("/tmp/home");
  });
+
+  it("drops non-portable env key names", () => {
+    const env = sanitizeHostExecEnv({
+      baseEnv: {
+        PATH: "/usr/bin:/bin",
+      },
+      overrides: {
+        " BAD KEY": "x",
+        "NOT-PORTABLE": "x",
+        GOOD_KEY: "ok",
+      },
+    });
+
+    expect(env.GOOD_KEY).toBe("ok");
+    expect(env[" BAD KEY"]).toBeUndefined();
+    expect(env["NOT-PORTABLE"]).toBeUndefined();
+  });
+});
+
+describe("normalizeEnvVarKey", () => {
+  it("normalizes and validates keys", () => {
+    expect(normalizeEnvVarKey(" OPENROUTER_API_KEY ")).toBe("OPENROUTER_API_KEY");
+    expect(normalizeEnvVarKey("NOT-PORTABLE", { portable: true })).toBeNull();
+    expect(normalizeEnvVarKey(" BASH_FUNC_echo%% ")).toBe("BASH_FUNC_echo%%");
+    expect(normalizeEnvVarKey("   ")).toBeNull();
+  });
 });