github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 22:08:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(security): centralize host env policy and harden env ingestion

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-21 13:04:34 +01:00
parent 08e020881d
commit f202e73077
10 changed files with 201 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
src/infra/host-env-security.ts
View File

@@ -1,23 +1,41 @@
const HOST_DANGEROUS_ENV_KEY_VALUES = [
"NODE_OPTIONS",
"NODE_PATH",
"PYTHONHOME",
"PYTHONPATH",
"PERL5LIB",
"PERL5OPT",
"RUBYLIB",
"RUBYOPT",
"BASH_ENV",
"ENV",
"GCONV_PATH",
"IFS",
"SSLKEYLOGFILE",
] as const;
import HOST_ENV_SECURITY_POLICY_JSON from "./host-env-security-policy.json" with { type: "json" };
const PORTABLE_ENV_VAR_KEY = /^[A-Za-z_][A-Za-z0-9_]*$/;
type HostEnvSecurityPolicy = {
blockedKeys: string[];
blockedPrefixes: string[];
};
const HOST_ENV_SECURITY_POLICY = HOST_ENV_SECURITY_POLICY_JSON as HostEnvSecurityPolicy;
export const HOST_DANGEROUS_ENV_KEY_VALUES: readonly string[] = Object.freeze(
HOST_ENV_SECURITY_POLICY.blockedKeys.map((key) => key.toUpperCase()),
);
export const HOST_DANGEROUS_ENV_PREFIXES: readonly string[] = Object.freeze(
HOST_ENV_SECURITY_POLICY.blockedPrefixes.map((prefix) => prefix.toUpperCase()),
);
export const HOST_DANGEROUS_ENV_KEYS = new Set<string>(HOST_DANGEROUS_ENV_KEY_VALUES);
export const HOST_DANGEROUS_ENV_PREFIXES = ["DYLD_", "LD_", "BASH_FUNC_"] as const;
export function isDangerousHostEnvVarName(key: string): boolean {
export function normalizeEnvVarKey(
rawKey: string,
options?: { portable?: boolean },
): string | null {
const key = rawKey.trim();
if (!key) {
return null;
}
if (options?.portable && !PORTABLE_ENV_VAR_KEY.test(key)) {
return null;
}
return key;
}
export function isDangerousHostEnvVarName(rawKey: string): boolean {
const key = normalizeEnvVarKey(rawKey);
if (!key) {
return false;
}
const upper = key.toUpperCase();
if (HOST_DANGEROUS_ENV_KEYS.has(upper)) {
return true;
@@ -39,7 +57,7 @@ export function sanitizeHostExecEnv(params?: {
if (typeof value !== "string") {
continue;
}
const key = rawKey.trim();
const key = normalizeEnvVarKey(rawKey, { portable: true });
if (!key || isDangerousHostEnvVarName(key)) {
continue;
}
@@ -54,7 +72,7 @@ export function sanitizeHostExecEnv(params?: {
if (typeof value !== "string") {
continue;
}
const key = rawKey.trim();
const key = normalizeEnvVarKey(rawKey, { portable: true });
if (!key) {
continue;
}