import { spawn } from "node:child_process"; import fs from "node:fs"; import os from "node:os"; import path from "node:path"; import { describe, expect, it } from "vitest"; import { isDangerousHostEnvOverrideVarName, isDangerousHostInheritedEnvVarName, isDangerousHostEnvVarName, normalizeEnvVarKey, sanitizeHostExecEnv, sanitizeHostExecEnvWithDiagnostics, sanitizeSystemRunEnvOverrides, } from "./host-env-security.js"; import { OPENCLAW_CLI_ENV_VALUE } from "./openclaw-exec-env.js"; function findSystemCommandPath(command: string) { if (process.platform === "win32") { return null; } for (const dir of (process.env.PATH ?? "/usr/bin:/bin").split(path.delimiter)) { if (!dir) { continue; } const candidate = path.join(dir, command); if (fs.existsSync(candidate)) { return candidate; } } return null; } function getSystemGitPath() { return findSystemCommandPath("git"); } function getSystemMakePath() { return findSystemCommandPath("make"); } function clearMarker(marker: string) { try { fs.unlinkSync(marker); } catch { // no-op } } async function runGitLsRemote(gitPath: string, target: string, env: NodeJS.ProcessEnv) { await new Promise((resolve) => { const child = spawn(gitPath, ["ls-remote", target], { env, stdio: "ignore" }); child.once("error", () => resolve()); child.once("close", () => resolve()); }); } async function runGitCommand( gitPath: string, args: string[], options?: { cwd?: string; env?: NodeJS.ProcessEnv; }, ) { await new Promise((resolve) => { const child = spawn(gitPath, args, { cwd: options?.cwd, env: options?.env, stdio: "ignore", }); child.once("error", () => resolve()); child.once("close", () => resolve()); }); } async function runGitClone( gitPath: string, source: string, destination: string, env: NodeJS.ProcessEnv, ) { await runGitCommand(gitPath, ["clone", source, destination], { env }); } async function initGitRepoWithCommits(gitPath: string, repoDir: string, commitCount: number) { await runGitCommand(gitPath, ["init", repoDir]); for (let index = 1; index <= commitCount; index += 1) { fs.writeFileSync(path.join(repoDir, `commit-${index}.txt`), `commit ${index}\n`, "utf8"); await runGitCommand(gitPath, ["-C", repoDir, "add", "."], { env: { PATH: process.env.PATH ?? "/usr/bin:/bin", }, }); await runGitCommand( gitPath, [ "-C", repoDir, "-c", "user.name=OpenClaw Test", "-c", "user.email=test@example.com", "commit", "-m", `commit ${index}`, ], { env: { PATH: process.env.PATH ?? "/usr/bin:/bin", }, }, ); } } async function runMakeCommand(makePath: string, cwd: string, env: NodeJS.ProcessEnv) { await new Promise((resolve) => { const child = spawn(makePath, ["all"], { cwd, env, stdio: "ignore", }); child.once("error", () => resolve()); child.once("close", () => resolve()); }); } describe("isDangerousHostEnvVarName", () => { it("matches dangerous keys and prefixes case-insensitively", () => { expect(isDangerousHostEnvVarName("BASH_ENV")).toBe(true); expect(isDangerousHostEnvVarName("bash_env")).toBe(true); expect(isDangerousHostEnvVarName("BROWSER")).toBe(true); expect(isDangerousHostEnvVarName("browser")).toBe(true); expect(isDangerousHostEnvVarName("SHELL")).toBe(true); expect(isDangerousHostEnvVarName("GIT_EDITOR")).toBe(true); expect(isDangerousHostEnvVarName("git_editor")).toBe(true); expect(isDangerousHostEnvVarName("GIT_EXTERNAL_DIFF")).toBe(true); expect(isDangerousHostEnvVarName("GIT_DIR")).toBe(true); expect(isDangerousHostEnvVarName("git_work_tree")).toBe(true); expect(isDangerousHostEnvVarName("GIT_COMMON_DIR")).toBe(true); expect(isDangerousHostEnvVarName("git_exec_path")).toBe(true); expect(isDangerousHostEnvVarName("GIT_INDEX_FILE")).toBe(true); expect(isDangerousHostEnvVarName("git_object_directory")).toBe(true); expect(isDangerousHostEnvVarName("git_alternate_object_directories")).toBe(true); expect(isDangerousHostEnvVarName("GIT_NAMESPACE")).toBe(true); expect(isDangerousHostEnvVarName("GIT_SEQUENCE_EDITOR")).toBe(true); expect(isDangerousHostEnvVarName("git_sequence_editor")).toBe(true); expect(isDangerousHostEnvVarName("GIT_TEMPLATE_DIR")).toBe(true); expect(isDangerousHostEnvVarName("git_template_dir")).toBe(true); expect(isDangerousHostEnvVarName("KUBECONFIG")).toBe(false); expect(isDangerousHostEnvVarName("google_application_credentials")).toBe(false); expect(isDangerousHostEnvVarName("AWS_SHARED_CREDENTIALS_FILE")).toBe(false); expect(isDangerousHostEnvVarName("aws_web_identity_token_file")).toBe(false); expect(isDangerousHostEnvVarName("AZURE_AUTH_LOCATION")).toBe(false); expect(isDangerousHostEnvVarName("CC")).toBe(true); expect(isDangerousHostEnvVarName("cxx")).toBe(true); expect(isDangerousHostEnvVarName("CARGO_BUILD_RUSTC")).toBe(true); expect(isDangerousHostEnvVarName("cargo_build_rustc")).toBe(true); expect(isDangerousHostEnvVarName("CARGO_BUILD_RUSTC_WRAPPER")).toBe(true); expect(isDangerousHostEnvVarName("cargo_build_rustc_wrapper")).toBe(true); expect(isDangerousHostEnvVarName("cargo_home")).toBe(false); expect(isDangerousHostEnvVarName("CMAKE_C_COMPILER")).toBe(true); expect(isDangerousHostEnvVarName("cmake_c_compiler")).toBe(true); expect(isDangerousHostEnvVarName("CMAKE_CXX_COMPILER")).toBe(true); expect(isDangerousHostEnvVarName("cmake_cxx_compiler")).toBe(true); expect(isDangerousHostEnvVarName("RUSTC_WRAPPER")).toBe(true); expect(isDangerousHostEnvVarName("rustc_wrapper")).toBe(true); expect(isDangerousHostEnvVarName("HELM_HOME")).toBe(false); expect(isDangerousHostEnvVarName("SHELLOPTS")).toBe(true); expect(isDangerousHostEnvVarName("ps4")).toBe(true); expect(isDangerousHostEnvVarName("DYLD_INSERT_LIBRARIES")).toBe(true); expect(isDangerousHostEnvVarName("ld_preload")).toBe(true); expect(isDangerousHostEnvVarName("BASH_FUNC_echo%%")).toBe(true); expect(isDangerousHostEnvVarName("JAVA_OPTS")).toBe(true); expect(isDangerousHostEnvVarName("java_opts")).toBe(true); expect(isDangerousHostEnvVarName("JAVA_TOOL_OPTIONS")).toBe(true); expect(isDangerousHostEnvVarName("java_tool_options")).toBe(true); expect(isDangerousHostEnvVarName("_JAVA_OPTIONS")).toBe(true); expect(isDangerousHostEnvVarName("_java_options")).toBe(true); expect(isDangerousHostEnvVarName("JDK_JAVA_OPTIONS")).toBe(true); expect(isDangerousHostEnvVarName("jdk_java_options")).toBe(true); expect(isDangerousHostEnvVarName("PYTHONBREAKPOINT")).toBe(true); expect(isDangerousHostEnvVarName("pythonbreakpoint")).toBe(true); expect(isDangerousHostEnvVarName("DOTNET_STARTUP_HOOKS")).toBe(true); expect(isDangerousHostEnvVarName("dotnet_startup_hooks")).toBe(true); expect(isDangerousHostEnvVarName("DOTNET_ADDITIONAL_DEPS")).toBe(true); expect(isDangerousHostEnvVarName("dotnet_additional_deps")).toBe(true); expect(isDangerousHostEnvVarName("GLIBC_TUNABLES")).toBe(true); expect(isDangerousHostEnvVarName("glibc_tunables")).toBe(true); expect(isDangerousHostEnvVarName("MAVEN_OPTS")).toBe(true); expect(isDangerousHostEnvVarName("maven_opts")).toBe(true); expect(isDangerousHostEnvVarName("MAKEFLAGS")).toBe(true); expect(isDangerousHostEnvVarName("makeflags")).toBe(true); expect(isDangerousHostEnvVarName("MFLAGS")).toBe(true); expect(isDangerousHostEnvVarName("mflags")).toBe(true); expect(isDangerousHostEnvVarName("SBT_OPTS")).toBe(true); expect(isDangerousHostEnvVarName("sbt_opts")).toBe(true); expect(isDangerousHostEnvVarName("GRADLE_OPTS")).toBe(true); expect(isDangerousHostEnvVarName("gradle_opts")).toBe(true); expect(isDangerousHostEnvVarName("ANT_OPTS")).toBe(true); expect(isDangerousHostEnvVarName("ant_opts")).toBe(true); expect(isDangerousHostEnvVarName("HGRCPATH")).toBe(true); expect(isDangerousHostEnvVarName("hgrcpath")).toBe(true); expect(isDangerousHostEnvVarName("HTTPS_PROXY")).toBe(false); expect(isDangerousHostEnvVarName("https_proxy")).toBe(false); expect(isDangerousHostEnvVarName("HTTP_PROXY")).toBe(false); expect(isDangerousHostEnvVarName("http_proxy")).toBe(false); expect(isDangerousHostEnvVarName("ALL_PROXY")).toBe(false); expect(isDangerousHostEnvVarName("no_proxy")).toBe(false); expect(isDangerousHostEnvVarName("NODE_TLS_REJECT_UNAUTHORIZED")).toBe(false); expect(isDangerousHostEnvVarName("node_extra_ca_certs")).toBe(false); expect(isDangerousHostEnvVarName("SSL_CERT_FILE")).toBe(false); expect(isDangerousHostEnvVarName("SSL_CERT_DIR")).toBe(false); expect(isDangerousHostEnvVarName("requests_ca_bundle")).toBe(false); expect(isDangerousHostEnvVarName("CURL_CA_BUNDLE")).toBe(false); expect(isDangerousHostEnvVarName("DOCKER_HOST")).toBe(false); expect(isDangerousHostEnvVarName("docker_cert_path")).toBe(false); expect(isDangerousHostEnvVarName("DOCKER_TLS_VERIFY")).toBe(false); expect(isDangerousHostEnvVarName("CARGO_REGISTRIES_CRATES_IO_INDEX")).toBe(false); expect(isDangerousHostEnvVarName("AWS_CONFIG_FILE")).toBe(false); expect(isDangerousHostEnvVarName("aws_config_file")).toBe(false); expect(isDangerousHostEnvVarName("yarn_rc_filename")).toBe(false); expect(isDangerousHostEnvVarName("PATH")).toBe(false); expect(isDangerousHostEnvVarName("FOO")).toBe(false); expect(isDangerousHostEnvVarName("GRADLE_USER_HOME")).toBe(false); }); it("blocks newly added startup, orchestration, and resolver env keys", () => { const keys = [ "VIMINIT", "EXINIT", "MYVIMRC", "GVIMINIT", "LUA_INIT", "LUA_INIT_5_4", "HOSTALIASES", "CONFIG_SITE", "CONFIG_SHELL", "CMAKE_TOOLCHAIN_FILE", "ERL_AFLAGS", "ERL_FLAGS", "ERL_ZFLAGS", "R_ENVIRON", "R_PROFILE_USER", ] as const; for (const key of keys) { expect(isDangerousHostEnvVarName(key)).toBe(true); expect(isDangerousHostEnvVarName(key.toLowerCase())).toBe(true); } expect(isDangerousHostEnvVarName("ANSIBLE_CONFIG")).toBe(false); expect(isDangerousHostEnvVarName("ANSIBLE_LIBRARY")).toBe(false); expect(isDangerousHostEnvVarName("TF_CLI_CONFIG_FILE")).toBe(false); expect(isDangerousHostEnvVarName("AWS_CONTAINER_CREDENTIALS_FULL_URI")).toBe(false); expect(isDangerousHostEnvVarName("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")).toBe(false); }); }); describe("isDangerousHostInheritedEnvVarName", () => { it("blocks inherited keys from both policy buckets while preserving explicit inherited allowlist keys", () => { expect(isDangerousHostInheritedEnvVarName("BASH_ENV")).toBe(true); expect(isDangerousHostInheritedEnvVarName("bash_env")).toBe(true); expect(isDangerousHostInheritedEnvVarName("ANSIBLE_CONFIG")).toBe(true); expect(isDangerousHostInheritedEnvVarName("ansible_library")).toBe(true); expect(isDangerousHostInheritedEnvVarName("TF_CLI_CONFIG_FILE")).toBe(true); expect(isDangerousHostInheritedEnvVarName("TF_VAR_admin_cidr")).toBe(false); expect(isDangerousHostInheritedEnvVarName("AWS_CONTAINER_CREDENTIALS_FULL_URI")).toBe(true); expect(isDangerousHostInheritedEnvVarName("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")).toBe(true); expect(isDangerousHostInheritedEnvVarName("KUBECONFIG")).toBe(false); expect(isDangerousHostInheritedEnvVarName("GOOGLE_APPLICATION_CREDENTIALS")).toBe(false); expect(isDangerousHostInheritedEnvVarName("AWS_SHARED_CREDENTIALS_FILE")).toBe(false); expect(isDangerousHostInheritedEnvVarName("AWS_WEB_IDENTITY_TOKEN_FILE")).toBe(false); expect(isDangerousHostInheritedEnvVarName("AWS_CONFIG_FILE")).toBe(false); expect(isDangerousHostInheritedEnvVarName("AZURE_AUTH_LOCATION")).toBe(false); expect(isDangerousHostInheritedEnvVarName("SSH_AUTH_SOCK")).toBe(false); expect(isDangerousHostInheritedEnvVarName("DOCKER_CONTEXT")).toBe(false); expect(isDangerousHostInheritedEnvVarName("GIT_CONFIG_GLOBAL")).toBe(false); expect(isDangerousHostInheritedEnvVarName("NPM_CONFIG_USERCONFIG")).toBe(false); expect(isDangerousHostInheritedEnvVarName("CARGO_REGISTRIES_CRATES_IO_INDEX")).toBe(false); expect(isDangerousHostInheritedEnvVarName("HTTP_PROXY")).toBe(false); expect(isDangerousHostInheritedEnvVarName("https_proxy")).toBe(false); expect(isDangerousHostInheritedEnvVarName("SSL_CERT_FILE")).toBe(false); expect(isDangerousHostInheritedEnvVarName("node_extra_ca_certs")).toBe(false); expect(isDangerousHostInheritedEnvVarName("HOME")).toBe(false); expect(isDangerousHostInheritedEnvVarName("FOO")).toBe(false); }); }); describe("sanitizeHostExecEnv", () => { it("removes dangerous inherited keys while preserving PATH", () => { const env = sanitizeHostExecEnv({ baseEnv: { PATH: "/usr/bin:/bin", BASH_ENV: "/tmp/pwn.sh", BROWSER: "/tmp/pwn-browser", GIT_EDITOR: "/tmp/pwn-editor", GIT_EXTERNAL_DIFF: "/tmp/pwn.sh", GIT_DIR: "/tmp/evil-git-dir", GIT_WORK_TREE: "/tmp/evil-work-tree", GIT_COMMON_DIR: "/tmp/evil-common-dir", GIT_TEMPLATE_DIR: "/tmp/git-template", GIT_INDEX_FILE: "/tmp/evil-git-index", GIT_OBJECT_DIRECTORY: "/tmp/evil-git-objects", GIT_ALTERNATE_OBJECT_DIRECTORIES: "/tmp/evil-git-alt-objects", GIT_NAMESPACE: "evil-namespace", GIT_SEQUENCE_EDITOR: "/tmp/pwn-sequence-editor", HGRCPATH: "/tmp/evil-hgrc", CARGO_BUILD_RUSTC_WRAPPER: "/tmp/evil-rustc-wrapper", RUSTC_WRAPPER: "/tmp/evil-rustc-wrapper", JAVA_OPTS: "-javaagent:/tmp/evil.jar", MAKEFLAGS: "--eval=$(shell touch /tmp/pwned)", MFLAGS: "--eval=$(shell touch /tmp/pwned-too)", KUBECONFIG: "/tmp/kubeconfig", GOOGLE_APPLICATION_CREDENTIALS: "/tmp/gcp.json", AWS_SHARED_CREDENTIALS_FILE: "/tmp/aws-credentials", AWS_WEB_IDENTITY_TOKEN_FILE: "/tmp/aws-web-token", AZURE_AUTH_LOCATION: "/tmp/azure-auth.json", AWS_CONFIG_FILE: "/tmp/aws-config", SSH_AUTH_SOCK: "/tmp/trusted-ssh-agent.sock", CARGO_HOME: "/tmp/cargo", HELM_HOME: "/tmp/helm", HTTP_PROXY: "http://proxy.example.test:8080", HTTPS_PROXY: "http://proxy.example.test:8443", SSL_CERT_FILE: "/tmp/evil-cert.pem", SSL_CERT_DIR: "/tmp/evil-cert-dir", DOCKER_CONTEXT: "trusted-remote", DOCKER_HOST: "tcp://docker.example.test:2376", LD_PRELOAD: "/tmp/pwn.so", OK: "1", }, }); expect(env).toEqual({ OPENCLAW_CLI: OPENCLAW_CLI_ENV_VALUE, PATH: "/usr/bin:/bin", AWS_CONFIG_FILE: "/tmp/aws-config", KUBECONFIG: "/tmp/kubeconfig", GOOGLE_APPLICATION_CREDENTIALS: "/tmp/gcp.json", AWS_SHARED_CREDENTIALS_FILE: "/tmp/aws-credentials", AWS_WEB_IDENTITY_TOKEN_FILE: "/tmp/aws-web-token", AZURE_AUTH_LOCATION: "/tmp/azure-auth.json", SSH_AUTH_SOCK: "/tmp/trusted-ssh-agent.sock", HTTP_PROXY: "http://proxy.example.test:8080", HTTPS_PROXY: "http://proxy.example.test:8443", SSL_CERT_FILE: "/tmp/evil-cert.pem", SSL_CERT_DIR: "/tmp/evil-cert-dir", DOCKER_CONTEXT: "trusted-remote", DOCKER_HOST: "tcp://docker.example.test:2376", OK: "1", }); }); it("blocks PATH and dangerous override values", () => { const env = sanitizeHostExecEnv({ baseEnv: { PATH: "/usr/bin:/bin", HOME: "/tmp/trusted-home", ZDOTDIR: "/tmp/trusted-zdotdir", CARGO_REGISTRIES_CRATES_IO_INDEX: "https://trusted.example/crates.io-index", YARN_RC_FILENAME: ".trusted-yarnrc.yml", }, overrides: { PATH: "/tmp/evil", HOME: "/tmp/evil-home", ZDOTDIR: "/tmp/evil-zdotdir", BASH_ENV: "/tmp/pwn.sh", BROWSER: "/tmp/browser", CC: "/tmp/evil-cc", CXX: "/tmp/evil-cxx", CARGO_BUILD_RUSTC: "/tmp/evil-rustc", CARGO_BUILD_RUSTC_WRAPPER: "/tmp/evil-rustc-wrapper", CMAKE_C_COMPILER: "/tmp/evil-c-compiler", CMAKE_CXX_COMPILER: "/tmp/evil-cxx-compiler", RUSTC_WRAPPER: "/tmp/evil-rustc-wrapper", HGRCPATH: "/tmp/evil-hgrc", GIT_SSH_COMMAND: "touch /tmp/pwned", GIT_EDITOR: "/tmp/git-editor", GIT_DIR: "/tmp/evil-git-dir", GIT_WORK_TREE: "/tmp/evil-work-tree", GIT_COMMON_DIR: "/tmp/evil-common-dir", GIT_EXEC_PATH: "/tmp/git-exec-path", GIT_INDEX_FILE: "/tmp/evil-git-index", GIT_OBJECT_DIRECTORY: "/tmp/evil-git-objects", GIT_ALTERNATE_OBJECT_DIRECTORIES: "/tmp/evil-git-alt-objects", GIT_NAMESPACE: "evil-namespace", GIT_SEQUENCE_EDITOR: "/tmp/git-sequence-editor", EDITOR: "/tmp/editor", NPM_CONFIG_USERCONFIG: "/tmp/npmrc", GIT_CONFIG_GLOBAL: "/tmp/gitconfig", CARGO_REGISTRIES_CRATES_IO_INDEX: "https://example.invalid/crates.io-index", AWS_CONFIG_FILE: "/tmp/override-aws-config", YARN_RC_FILENAME: ".evil-yarnrc.yml", KUBECONFIG: "/tmp/override-kubeconfig", GOOGLE_APPLICATION_CREDENTIALS: "/tmp/override-gcp.json", AWS_SHARED_CREDENTIALS_FILE: "/tmp/override-aws-credentials", AWS_WEB_IDENTITY_TOKEN_FILE: "/tmp/override-aws-web-token", AZURE_AUTH_LOCATION: "/tmp/override-azure-auth.json", PIP_INDEX_URL: "https://example.invalid/simple", PIP_PYPI_URL: "https://example.invalid/simple", PIP_EXTRA_INDEX_URL: "https://example.invalid/simple", PIP_CONFIG_FILE: "/tmp/evil-pip.conf", PIP_FIND_LINKS: "https://example.invalid/wheels", PIP_TRUSTED_HOST: "example.invalid", UV_INDEX: "https://example.invalid/simple", UV_INDEX_URL: "https://example.invalid/simple", UV_PYTHON: "/tmp/evil-uv-python", UV_DEFAULT_INDEX: "https://example.invalid/simple", UV_EXTRA_INDEX_URL: "https://example.invalid/simple", DOCKER_HOST: "tcp://example.invalid:2376", DOCKER_TLS_VERIFY: "1", DOCKER_CERT_PATH: "/tmp/evil-docker-certs", DOCKER_CONTEXT: "evil-remote", LIBRARY_PATH: "/tmp/evil-lib", CPATH: "/tmp/evil-headers", C_INCLUDE_PATH: "/tmp/evil-c-headers", CPLUS_INCLUDE_PATH: "/tmp/evil-cpp-headers", OBJC_INCLUDE_PATH: "/tmp/evil-objc-headers", HELM_HOME: "/tmp/override-helm", NODE_EXTRA_CA_CERTS: "/tmp/evil-ca.pem", SSL_CERT_FILE: "/tmp/evil-cert.pem", SSL_CERT_DIR: "/tmp/evil-cert-dir", REQUESTS_CA_BUNDLE: "/tmp/evil-requests-ca.pem", CURL_CA_BUNDLE: "/tmp/evil-curl-ca.pem", GIT_SSL_NO_VERIFY: "1", GIT_SSL_CAINFO: "/tmp/evil-git-ca.pem", GIT_SSL_CAPATH: "/tmp/evil-git-ca-dir", GOPROXY: "https://example.invalid/proxy", GONOSUMCHECK: "example.invalid/*", GONOSUMDB: "example.invalid/*", GONOPROXY: "example.invalid/*", GOPRIVATE: "example.invalid/*", GOENV: "/tmp/evil-goenv", GOPATH: "/tmp/evil-go", PYTHONUSERBASE: "/tmp/evil-python-userbase", VIRTUAL_ENV: "/tmp/evil-venv", SHELLOPTS: "xtrace", PS4: "$(touch /tmp/pwned)", CLASSPATH: "/tmp/evil-classpath", JAVA_OPTS: "-javaagent:/tmp/evil.jar", GOFLAGS: "-mod=mod", RUSTFLAGS: "-C link-args=-l/tmp/evil.so", MAKEFLAGS: "--eval=$(shell touch /tmp/pwned)", MFLAGS: "--eval=$(shell touch /tmp/pwned-too)", PHPRC: "/tmp/evil-php.ini", XDG_CONFIG_HOME: "/tmp/evil-config", SAFE: "ok", }, }); expect(env.PATH).toBe("/usr/bin:/bin"); expect(env.OPENCLAW_CLI).toBe(OPENCLAW_CLI_ENV_VALUE); expect(env.BASH_ENV).toBeUndefined(); expect(env.BROWSER).toBeUndefined(); expect(env.GIT_EDITOR).toBeUndefined(); expect(env.GIT_DIR).toBeUndefined(); expect(env.GIT_WORK_TREE).toBeUndefined(); expect(env.GIT_COMMON_DIR).toBeUndefined(); expect(env.CC).toBeUndefined(); expect(env.CXX).toBeUndefined(); expect(env.CARGO_BUILD_RUSTC).toBeUndefined(); expect(env.CARGO_BUILD_RUSTC_WRAPPER).toBeUndefined(); expect(env.CMAKE_C_COMPILER).toBeUndefined(); expect(env.CMAKE_CXX_COMPILER).toBeUndefined(); expect(env.RUSTC_WRAPPER).toBeUndefined(); expect(env.HGRCPATH).toBeUndefined(); expect(env.GIT_TEMPLATE_DIR).toBeUndefined(); expect(env.GIT_INDEX_FILE).toBeUndefined(); expect(env.GIT_OBJECT_DIRECTORY).toBeUndefined(); expect(env.GIT_ALTERNATE_OBJECT_DIRECTORIES).toBeUndefined(); expect(env.GIT_NAMESPACE).toBeUndefined(); expect(env.GIT_SEQUENCE_EDITOR).toBeUndefined(); expect(env.AWS_CONFIG_FILE).toBeUndefined(); expect(env.KUBECONFIG).toBeUndefined(); expect(env.GOOGLE_APPLICATION_CREDENTIALS).toBeUndefined(); expect(env.AWS_SHARED_CREDENTIALS_FILE).toBeUndefined(); expect(env.AWS_WEB_IDENTITY_TOKEN_FILE).toBeUndefined(); expect(env.AZURE_AUTH_LOCATION).toBeUndefined(); expect(env.GIT_SSH_COMMAND).toBeUndefined(); expect(env.GIT_EXEC_PATH).toBeUndefined(); expect(env.EDITOR).toBeUndefined(); expect(env.NPM_CONFIG_USERCONFIG).toBeUndefined(); expect(env.GIT_CONFIG_GLOBAL).toBeUndefined(); expect(env.CARGO_REGISTRIES_CRATES_IO_INDEX).toBe("https://trusted.example/crates.io-index"); expect(env.SHELLOPTS).toBeUndefined(); expect(env.PS4).toBeUndefined(); expect(env.CLASSPATH).toBeUndefined(); expect(env.JAVA_OPTS).toBeUndefined(); expect(env.GOFLAGS).toBeUndefined(); expect(env.RUSTFLAGS).toBeUndefined(); expect(env.MAKEFLAGS).toBeUndefined(); expect(env.MFLAGS).toBeUndefined(); expect(env.PHPRC).toBeUndefined(); expect(env.XDG_CONFIG_HOME).toBeUndefined(); expect(env.YARN_RC_FILENAME).toBeUndefined(); expect(env.PIP_INDEX_URL).toBeUndefined(); expect(env.PIP_PYPI_URL).toBeUndefined(); expect(env.PIP_EXTRA_INDEX_URL).toBeUndefined(); expect(env.PIP_CONFIG_FILE).toBeUndefined(); expect(env.PIP_FIND_LINKS).toBeUndefined(); expect(env.PIP_TRUSTED_HOST).toBeUndefined(); expect(env.UV_INDEX).toBeUndefined(); expect(env.UV_INDEX_URL).toBeUndefined(); expect(env.UV_PYTHON).toBeUndefined(); expect(env.UV_DEFAULT_INDEX).toBeUndefined(); expect(env.UV_EXTRA_INDEX_URL).toBeUndefined(); expect(env.DOCKER_HOST).toBeUndefined(); expect(env.DOCKER_TLS_VERIFY).toBeUndefined(); expect(env.DOCKER_CERT_PATH).toBeUndefined(); expect(env.DOCKER_CONTEXT).toBeUndefined(); expect(env.LIBRARY_PATH).toBeUndefined(); expect(env.CPATH).toBeUndefined(); expect(env.C_INCLUDE_PATH).toBeUndefined(); expect(env.CPLUS_INCLUDE_PATH).toBeUndefined(); expect(env.OBJC_INCLUDE_PATH).toBeUndefined(); expect(env.NODE_EXTRA_CA_CERTS).toBeUndefined(); expect(env.SSL_CERT_FILE).toBeUndefined(); expect(env.SSL_CERT_DIR).toBeUndefined(); expect(env.REQUESTS_CA_BUNDLE).toBeUndefined(); expect(env.CURL_CA_BUNDLE).toBeUndefined(); expect(env.GOPROXY).toBeUndefined(); expect(env.GONOSUMCHECK).toBeUndefined(); expect(env.GONOSUMDB).toBeUndefined(); expect(env.GONOPROXY).toBeUndefined(); expect(env.GOPRIVATE).toBeUndefined(); expect(env.GOENV).toBeUndefined(); expect(env.GOPATH).toBeUndefined(); expect(env.CARGO_HOME).toBeUndefined(); expect(env.HELM_HOME).toBeUndefined(); expect(env.PYTHONUSERBASE).toBeUndefined(); expect(env.VIRTUAL_ENV).toBeUndefined(); expect(env.SAFE).toBe("ok"); expect(env.HOME).toBe("/tmp/trusted-home"); expect(env.ZDOTDIR).toBe("/tmp/trusted-zdotdir"); }); it("drops inherited vars blocked by either policy bucket and keeps explicit inherited allowlist keys", () => { const env = sanitizeHostExecEnv({ baseEnv: { PATH: "/usr/bin:/bin", HTTPS_PROXY: "http://trusted-proxy.example.test:8443", KUBECONFIG: "/tmp/trusted-kubeconfig", GOOGLE_APPLICATION_CREDENTIALS: "/tmp/trusted-gcp.json", AWS_SHARED_CREDENTIALS_FILE: "/tmp/trusted-aws-credentials", AWS_WEB_IDENTITY_TOKEN_FILE: "/tmp/trusted-aws-web-token", AWS_CONFIG_FILE: "/tmp/trusted-aws-config", AZURE_AUTH_LOCATION: "/tmp/trusted-azure-auth.json", SSH_AUTH_SOCK: "/tmp/trusted-ssh-agent.sock", DOCKER_CONTEXT: "trusted-remote", VIMINIT: ":!touch /tmp/pwned", EXINIT: "silent !touch /tmp/pwned", LUA_INIT_5_4: "os.execute('touch /tmp/pwned')", HOSTALIASES: "/tmp/evil-hostaliases", AWS_CONTAINER_CREDENTIALS_FULL_URI: "http://169.254.170.2/credentials", AWS_CONTAINER_CREDENTIALS_RELATIVE_URI: "/v2/credentials/abcd", CONFIG_SITE: "/tmp/evil-config-site", ANSIBLE_CONFIG: "/tmp/evil-ansible.cfg", R_PROFILE_USER: "/tmp/evil-Rprofile", ERL_AFLAGS: "-eval 'os:cmd(\"id\")'", TF_CLI_CONFIG_FILE: "/tmp/evil-terraformrc", TF_VAR_admin_cidr: "10.0.0.0/24", SAFE: "1", }, }); expect(env.PATH).toBe("/usr/bin:/bin"); expect(env.OPENCLAW_CLI).toBe(OPENCLAW_CLI_ENV_VALUE); expect(env.VIMINIT).toBeUndefined(); expect(env.EXINIT).toBeUndefined(); expect(env.LUA_INIT_5_4).toBeUndefined(); expect(env.HOSTALIASES).toBeUndefined(); expect(env.HTTPS_PROXY).toBe("http://trusted-proxy.example.test:8443"); expect(env.KUBECONFIG).toBe("/tmp/trusted-kubeconfig"); expect(env.GOOGLE_APPLICATION_CREDENTIALS).toBe("/tmp/trusted-gcp.json"); expect(env.AWS_SHARED_CREDENTIALS_FILE).toBe("/tmp/trusted-aws-credentials"); expect(env.AWS_WEB_IDENTITY_TOKEN_FILE).toBe("/tmp/trusted-aws-web-token"); expect(env.AWS_CONFIG_FILE).toBe("/tmp/trusted-aws-config"); expect(env.AZURE_AUTH_LOCATION).toBe("/tmp/trusted-azure-auth.json"); expect(env.SSH_AUTH_SOCK).toBe("/tmp/trusted-ssh-agent.sock"); expect(env.DOCKER_CONTEXT).toBe("trusted-remote"); expect(env.AWS_CONTAINER_CREDENTIALS_FULL_URI).toBeUndefined(); expect(env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI).toBeUndefined(); expect(env.CONFIG_SITE).toBeUndefined(); expect(env.ANSIBLE_CONFIG).toBeUndefined(); expect(env.R_PROFILE_USER).toBeUndefined(); expect(env.ERL_AFLAGS).toBeUndefined(); expect(env.TF_CLI_CONFIG_FILE).toBeUndefined(); expect(env.TF_VAR_admin_cidr).toBe("10.0.0.0/24"); expect(env.SAFE).toBe("1"); }); it("drops newly blocked override credential and startup vars", () => { const env = sanitizeHostExecEnv({ baseEnv: { PATH: "/usr/bin:/bin", }, overrides: { VIMINIT: ":!touch /tmp/pwned", HOSTALIASES: "/tmp/evil-hostaliases", AWS_CONTAINER_CREDENTIALS_FULL_URI: "http://attacker/credentials", AWS_CONTAINER_CREDENTIALS_RELATIVE_URI: "/attacker-credentials", ANSIBLE_CONFIG: "/tmp/override-ansible.cfg", ANSIBLE_REMOTE_TEMP: "/tmp/evil-ansible-remote", R_LIBS_USER: "/tmp/evil-r-libs-user", TF_CLI_CONFIG_FILE: "/tmp/override-terraformrc", TF_PLUGIN_CACHE_DIR: "/tmp/evil-tf-plugin-cache", CFLAGS: "-I/attacker/include", LDFLAGS: "-L/attacker/lib", XDG_CONFIG_DIRS: "/tmp/evil-config-dirs", TF_VAR_admin_cidr: "10.0.0.0/24", GITHUB_TOKEN: "ghp-test", DATABASE_URL: "postgres://attacker", NPM_TOKEN: "npm-test", SSH_AUTH_SOCK: "/tmp/evil-agent.sock", SAFE: "ok", }, }); expect(env.PATH).toBe("/usr/bin:/bin"); expect(env.OPENCLAW_CLI).toBe(OPENCLAW_CLI_ENV_VALUE); expect(env.VIMINIT).toBeUndefined(); expect(env.HOSTALIASES).toBeUndefined(); expect(env.AWS_CONTAINER_CREDENTIALS_FULL_URI).toBeUndefined(); expect(env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI).toBeUndefined(); expect(env.ANSIBLE_CONFIG).toBeUndefined(); expect(env.ANSIBLE_REMOTE_TEMP).toBeUndefined(); expect(env.R_LIBS_USER).toBeUndefined(); expect(env.TF_CLI_CONFIG_FILE).toBeUndefined(); expect(env.TF_PLUGIN_CACHE_DIR).toBeUndefined(); expect(env.CFLAGS).toBeUndefined(); expect(env.LDFLAGS).toBeUndefined(); expect(env.XDG_CONFIG_DIRS).toBeUndefined(); expect(env.TF_VAR_admin_cidr).toBeUndefined(); expect(env.GITHUB_TOKEN).toBeUndefined(); expect(env.DATABASE_URL).toBeUndefined(); expect(env.NPM_TOKEN).toBeUndefined(); expect(env.SSH_AUTH_SOCK).toBeUndefined(); expect(env.SAFE).toBe("ok"); }); it("keeps trusted inherited proxy and TLS env while blocking overrides", () => { const env = sanitizeHostExecEnv({ baseEnv: { PATH: "/usr/bin:/bin", HTTP_PROXY: "http://trusted-proxy.example.test:8080", HTTPS_PROXY: "http://trusted-proxy.example.test:8443", NODE_TLS_REJECT_UNAUTHORIZED: "0", SSL_CERT_DIR: "/etc/ssl/certs", CURL_CA_BUNDLE: "/etc/ssl/cert.pem", DOCKER_TLS_VERIFY: "1", }, overrides: { HTTP_PROXY: "http://evil-proxy.example.test:8080", NODE_TLS_REJECT_UNAUTHORIZED: "1", DOCKER_TLS_VERIFY: "0", }, }); expect(env).toEqual({ OPENCLAW_CLI: OPENCLAW_CLI_ENV_VALUE, PATH: "/usr/bin:/bin", HTTP_PROXY: "http://trusted-proxy.example.test:8080", HTTPS_PROXY: "http://trusted-proxy.example.test:8443", NODE_TLS_REJECT_UNAUTHORIZED: "0", SSL_CERT_DIR: "/etc/ssl/certs", CURL_CA_BUNDLE: "/etc/ssl/cert.pem", DOCKER_TLS_VERIFY: "1", }); }); it("blocks proxy, TLS, and Docker override values explicitly", () => { expect(isDangerousHostEnvOverrideVarName("HTTPS_PROXY")).toBe(true); expect(isDangerousHostEnvOverrideVarName("https_proxy")).toBe(true); expect(isDangerousHostEnvOverrideVarName("HTTP_PROXY")).toBe(true); expect(isDangerousHostEnvOverrideVarName("http_proxy")).toBe(true); expect(isDangerousHostEnvOverrideVarName("ALL_PROXY")).toBe(true); expect(isDangerousHostEnvOverrideVarName("no_proxy")).toBe(true); expect(isDangerousHostEnvOverrideVarName("NODE_TLS_REJECT_UNAUTHORIZED")).toBe(true); expect(isDangerousHostEnvOverrideVarName("node_extra_ca_certs")).toBe(true); expect(isDangerousHostEnvOverrideVarName("SSL_CERT_FILE")).toBe(true); expect(isDangerousHostEnvOverrideVarName("SSL_CERT_DIR")).toBe(true); expect(isDangerousHostEnvOverrideVarName("requests_ca_bundle")).toBe(true); expect(isDangerousHostEnvOverrideVarName("CURL_CA_BUNDLE")).toBe(true); expect(isDangerousHostEnvOverrideVarName("DOCKER_HOST")).toBe(true); expect(isDangerousHostEnvOverrideVarName("docker_cert_path")).toBe(true); expect(isDangerousHostEnvOverrideVarName("DOCKER_TLS_VERIFY")).toBe(true); }); it("drops dangerous inherited shell trace keys", () => { const env = sanitizeHostExecEnv({ baseEnv: { PATH: "/usr/bin:/bin", SHELLOPTS: "xtrace", PS4: "$(touch /tmp/pwned)", OK: "1", }, }); expect(env.PATH).toBe("/usr/bin:/bin"); expect(env.OPENCLAW_CLI).toBe(OPENCLAW_CLI_ENV_VALUE); expect(env.OK).toBe("1"); expect(env.SHELLOPTS).toBeUndefined(); expect(env.PS4).toBeUndefined(); }); it("drops non-portable env key names", () => { const env = sanitizeHostExecEnv({ baseEnv: { PATH: "/usr/bin:/bin", }, overrides: { " BAD KEY": "x", "NOT-PORTABLE": "x", GOOD_KEY: "ok", }, }); expect(env.GOOD_KEY).toBe("ok"); expect(env.OPENCLAW_CLI).toBe(OPENCLAW_CLI_ENV_VALUE); expect(env[" BAD KEY"]).toBeUndefined(); expect(env["NOT-PORTABLE"]).toBeUndefined(); }); it("can allow PATH overrides when explicitly opted out of blocking", () => { const env = sanitizeHostExecEnv({ baseEnv: { PATH: "/usr/bin:/bin", }, overrides: { PATH: "/custom/bin", }, blockPathOverrides: false, }); expect(env.PATH).toBe("/custom/bin"); expect(env.OPENCLAW_CLI).toBe(OPENCLAW_CLI_ENV_VALUE); }); it("drops non-string inherited values while preserving non-portable inherited keys", () => { const env = sanitizeHostExecEnv({ baseEnv: { PATH: "/usr/bin:/bin", GOOD: "1", BAD_NUMBER: 1 as any, "NOT-PORTABLE": "x", "ProgramFiles(x86)": "C:\\Program Files (x86)", }, }); expect(env).toEqual({ OPENCLAW_CLI: OPENCLAW_CLI_ENV_VALUE, PATH: "/usr/bin:/bin", GOOD: "1", "NOT-PORTABLE": "x", "ProgramFiles(x86)": "C:\\Program Files (x86)", }); }); }); describe("isDangerousHostEnvOverrideVarName", () => { it("matches override-only blocked keys case-insensitively", () => { expect(isDangerousHostEnvOverrideVarName("HOME")).toBe(true); expect(isDangerousHostEnvOverrideVarName("zdotdir")).toBe(true); expect(isDangerousHostEnvOverrideVarName("GIT_DIR")).toBe(true); expect(isDangerousHostEnvOverrideVarName("git_work_tree")).toBe(true); expect(isDangerousHostEnvOverrideVarName("GIT_COMMON_DIR")).toBe(true); expect(isDangerousHostEnvOverrideVarName("git_index_file")).toBe(true); expect(isDangerousHostEnvOverrideVarName("GIT_OBJECT_DIRECTORY")).toBe(true); expect(isDangerousHostEnvOverrideVarName("git_alternate_object_directories")).toBe(true); expect(isDangerousHostEnvOverrideVarName("git_namespace")).toBe(true); expect(isDangerousHostEnvOverrideVarName("GIT_SSH_COMMAND")).toBe(true); expect(isDangerousHostEnvOverrideVarName("editor")).toBe(true); expect(isDangerousHostEnvOverrideVarName("NPM_CONFIG_USERCONFIG")).toBe(true); expect(isDangerousHostEnvOverrideVarName("git_config_global")).toBe(true); expect(isDangerousHostEnvOverrideVarName("CARGO_REGISTRIES_CRATES_IO_INDEX")).toBe(true); expect(isDangerousHostEnvOverrideVarName("cargo_registries_internal_index")).toBe(true); expect(isDangerousHostEnvOverrideVarName("GRADLE_USER_HOME")).toBe(true); expect(isDangerousHostEnvOverrideVarName("gradle_user_home")).toBe(true); expect(isDangerousHostEnvOverrideVarName("PIP_INDEX_URL")).toBe(true); expect(isDangerousHostEnvOverrideVarName("pip_config_file")).toBe(true); expect(isDangerousHostEnvOverrideVarName("PIP_FIND_LINKS")).toBe(true); expect(isDangerousHostEnvOverrideVarName("pip_trusted_host")).toBe(true); expect(isDangerousHostEnvOverrideVarName("pip_pypi_url")).toBe(true); expect(isDangerousHostEnvOverrideVarName("PIP_EXTRA_INDEX_URL")).toBe(true); expect(isDangerousHostEnvOverrideVarName("UV_INDEX")).toBe(true); expect(isDangerousHostEnvOverrideVarName("UV_INDEX_URL")).toBe(true); expect(isDangerousHostEnvOverrideVarName("uv_python")).toBe(true); expect(isDangerousHostEnvOverrideVarName("uv_default_index")).toBe(true); expect(isDangerousHostEnvOverrideVarName("UV_EXTRA_INDEX_URL")).toBe(true); expect(isDangerousHostEnvOverrideVarName("DOCKER_HOST")).toBe(true); expect(isDangerousHostEnvOverrideVarName("docker_context")).toBe(true); expect(isDangerousHostEnvOverrideVarName("NODE_EXTRA_CA_CERTS")).toBe(true); expect(isDangerousHostEnvOverrideVarName("ssl_cert_file")).toBe(true); expect(isDangerousHostEnvOverrideVarName("REQUESTS_CA_BUNDLE")).toBe(true); expect(isDangerousHostEnvOverrideVarName("curl_ca_bundle")).toBe(true); expect(isDangerousHostEnvOverrideVarName("LIBRARY_PATH")).toBe(true); expect(isDangerousHostEnvOverrideVarName("c_include_path")).toBe(true); expect(isDangerousHostEnvOverrideVarName("GOPROXY")).toBe(true); expect(isDangerousHostEnvOverrideVarName("gonosumdb")).toBe(true); expect(isDangerousHostEnvOverrideVarName("GOPRIVATE")).toBe(true); expect(isDangerousHostEnvOverrideVarName("goenv")).toBe(true); expect(isDangerousHostEnvOverrideVarName("PYTHONUSERBASE")).toBe(true); expect(isDangerousHostEnvOverrideVarName("virtual_env")).toBe(true); expect(isDangerousHostEnvOverrideVarName("KUBECONFIG")).toBe(true); expect(isDangerousHostEnvOverrideVarName("google_application_credentials")).toBe(true); expect(isDangerousHostEnvOverrideVarName("AWS_SHARED_CREDENTIALS_FILE")).toBe(true); expect(isDangerousHostEnvOverrideVarName("aws_web_identity_token_file")).toBe(true); expect(isDangerousHostEnvOverrideVarName("AZURE_AUTH_LOCATION")).toBe(true); expect(isDangerousHostEnvOverrideVarName("cargo_home")).toBe(true); expect(isDangerousHostEnvOverrideVarName("HELM_HOME")).toBe(true); expect(isDangerousHostEnvOverrideVarName("CLASSPATH")).toBe(true); expect(isDangerousHostEnvOverrideVarName("classpath")).toBe(true); expect(isDangerousHostEnvOverrideVarName("MAKEFLAGS")).toBe(true); expect(isDangerousHostEnvOverrideVarName("makeflags")).toBe(true); expect(isDangerousHostEnvOverrideVarName("MFLAGS")).toBe(true); expect(isDangerousHostEnvOverrideVarName("mflags")).toBe(true); expect(isDangerousHostEnvOverrideVarName("GOFLAGS")).toBe(true); expect(isDangerousHostEnvOverrideVarName("goflags")).toBe(true); expect(isDangerousHostEnvOverrideVarName("HGRCPATH")).toBe(true); expect(isDangerousHostEnvOverrideVarName("hgrcpath")).toBe(true); expect(isDangerousHostEnvOverrideVarName("RUSTC_WRAPPER")).toBe(true); expect(isDangerousHostEnvOverrideVarName("rustc_wrapper")).toBe(true); expect(isDangerousHostEnvOverrideVarName("RUSTFLAGS")).toBe(true); expect(isDangerousHostEnvOverrideVarName("rustflags")).toBe(true); expect(isDangerousHostEnvOverrideVarName("CARGO_BUILD_RUSTC_WRAPPER")).toBe(true); expect(isDangerousHostEnvOverrideVarName("cargo_build_rustc_wrapper")).toBe(true); expect(isDangerousHostEnvOverrideVarName("CARGO_HOME")).toBe(true); expect(isDangerousHostEnvOverrideVarName("cargo_home")).toBe(true); expect(isDangerousHostEnvOverrideVarName("TF_VAR_admin_cidr")).toBe(true); expect(isDangerousHostEnvOverrideVarName("CORECLR_PROFILER_PATH")).toBe(true); expect(isDangerousHostEnvOverrideVarName("coreclr_profiler_path")).toBe(true); expect(isDangerousHostEnvOverrideVarName("XDG_CONFIG_HOME")).toBe(true); expect(isDangerousHostEnvOverrideVarName("xdg_config_home")).toBe(true); expect(isDangerousHostEnvOverrideVarName("XDG_CONFIG_DIRS")).toBe(true); expect(isDangerousHostEnvOverrideVarName("xdg_config_dirs")).toBe(true); expect(isDangerousHostEnvOverrideVarName("AWS_CONFIG_FILE")).toBe(true); expect(isDangerousHostEnvOverrideVarName("aws_config_file")).toBe(true); expect(isDangerousHostEnvOverrideVarName("yarn_rc_filename")).toBe(true); expect(isDangerousHostEnvOverrideVarName("BASH_ENV")).toBe(false); expect(isDangerousHostEnvOverrideVarName("FOO")).toBe(false); }); it("blocks newly added credential and build influence keys", () => { const keys = [ "GITHUB_TOKEN", "GH_TOKEN", "GITLAB_TOKEN", "NPM_TOKEN", "NODE_AUTH_TOKEN", "AWS_ACCESS_KEY_ID", "AWS_CONTAINER_CREDENTIALS_FULL_URI", "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI", "ANSIBLE_CONFIG", "ANSIBLE_LIBRARY", "ANSIBLE_REMOTE_TEMP", "R_LIBS_USER", "TF_CLI_CONFIG_FILE", "TF_PLUGIN_CACHE_DIR", "CFLAGS", "LDFLAGS", "XDG_CONFIG_DIRS", "AWS_SECRET_ACCESS_KEY", "AZURE_CLIENT_SECRET", "DATABASE_URL", "REDIS_URL", "MONGODB_URI", "AMQP_URL", "SSH_AUTH_SOCK", ] as const; for (const key of keys) { expect(isDangerousHostEnvOverrideVarName(key)).toBe(true); expect(isDangerousHostEnvOverrideVarName(key.toLowerCase())).toBe(true); } }); }); describe("sanitizeHostExecEnvWithDiagnostics", () => { it("reports blocked and invalid requested overrides", () => { const result = sanitizeHostExecEnvWithDiagnostics({ baseEnv: { PATH: "/usr/bin:/bin", }, overrides: { PATH: "/tmp/evil", CXX: "/tmp/evil-cxx", CARGO_BUILD_RUSTC_WRAPPER: "/tmp/evil-rustc-wrapper", CARGO_REGISTRIES_CRATES_IO_INDEX: "https://example.invalid/crates.io-index", CMAKE_C_COMPILER: "/tmp/evil-c-compiler", KUBECONFIG: "/tmp/evil-kubeconfig", GOOGLE_APPLICATION_CREDENTIALS: "/tmp/evil-gcp.json", AWS_SHARED_CREDENTIALS_FILE: "/tmp/evil-aws-credentials", AWS_WEB_IDENTITY_TOKEN_FILE: "/tmp/evil-aws-web-token", AZURE_AUTH_LOCATION: "/tmp/evil-azure-auth.json", CLASSPATH: "/tmp/evil-classpath", PIP_INDEX_URL: "https://example.invalid/simple", PIP_PYPI_URL: "https://example.invalid/simple", PIP_EXTRA_INDEX_URL: "https://example.invalid/simple", PIP_CONFIG_FILE: "/tmp/evil-pip.conf", PIP_FIND_LINKS: "https://example.invalid/wheels", PIP_TRUSTED_HOST: "example.invalid", UV_INDEX: "https://example.invalid/simple", UV_INDEX_URL: "https://example.invalid/simple", UV_PYTHON: "/tmp/evil-uv-python", UV_DEFAULT_INDEX: "https://example.invalid/simple", UV_EXTRA_INDEX_URL: "https://example.invalid/simple", DOCKER_HOST: "tcp://example.invalid:2376", DOCKER_TLS_VERIFY: "1", DOCKER_CERT_PATH: "/tmp/evil-docker-certs", DOCKER_CONTEXT: "evil-remote", LIBRARY_PATH: "/tmp/evil-lib", CPATH: "/tmp/evil-headers", C_INCLUDE_PATH: "/tmp/evil-c-headers", CPLUS_INCLUDE_PATH: "/tmp/evil-cpp-headers", OBJC_INCLUDE_PATH: "/tmp/evil-objc-headers", NODE_EXTRA_CA_CERTS: "/tmp/evil-ca.pem", SSL_CERT_FILE: "/tmp/evil-cert.pem", SSL_CERT_DIR: "/tmp/evil-cert-dir", REQUESTS_CA_BUNDLE: "/tmp/evil-requests-ca.pem", CURL_CA_BUNDLE: "/tmp/evil-curl-ca.pem", GIT_DIR: "/tmp/evil-git-dir", GIT_WORK_TREE: "/tmp/evil-work-tree", GIT_COMMON_DIR: "/tmp/evil-common-dir", GIT_INDEX_FILE: "/tmp/evil-git-index", GIT_OBJECT_DIRECTORY: "/tmp/evil-git-objects", GIT_ALTERNATE_OBJECT_DIRECTORIES: "/tmp/evil-git-alt-objects", GIT_NAMESPACE: "evil-namespace", GOPROXY: "https://example.invalid/proxy", GONOSUMCHECK: "example.invalid/*", GONOSUMDB: "example.invalid/*", GONOPROXY: "example.invalid/*", GOPRIVATE: "example.invalid/*", GOENV: "/tmp/evil-goenv", GOPATH: "/tmp/evil-go", CARGO_HOME: "/tmp/evil-cargo", HGRCPATH: "/tmp/evil-hgrc", MAKEFLAGS: "--eval=$(shell touch /tmp/pwned)", MFLAGS: "--eval=$(shell touch /tmp/pwned-too)", HELM_HOME: "/tmp/evil-helm", PYTHONUSERBASE: "/tmp/evil-python-userbase", RUSTC_WRAPPER: "/tmp/evil-rustc-wrapper", RUSTFLAGS: "-C link-args=-l/tmp/evil.so", VIRTUAL_ENV: "/tmp/evil-venv", JAVA_OPTS: "-javaagent:/tmp/evil.jar", YARN_RC_FILENAME: ".evil-yarnrc.yml", HTTPS_PROXY: "http://proxy.example.test:8080", GIT_SSL_NO_VERIFY: "1", GIT_SSL_CAINFO: "/tmp/evil-git-ca.pem", GIT_SSL_CAPATH: "/tmp/evil-git-capath", NODE_TLS_REJECT_UNAUTHORIZED: "0", SAFE_KEY: "ok", "BAD-KEY": "bad", }, }); expect(result.rejectedOverrideBlockedKeys).toEqual([ "AWS_SHARED_CREDENTIALS_FILE", "AWS_WEB_IDENTITY_TOKEN_FILE", "AZURE_AUTH_LOCATION", "C_INCLUDE_PATH", "CARGO_BUILD_RUSTC_WRAPPER", "CARGO_HOME", "CARGO_REGISTRIES_CRATES_IO_INDEX", "CLASSPATH", "CMAKE_C_COMPILER", "CPATH", "CPLUS_INCLUDE_PATH", "CURL_CA_BUNDLE", "CXX", "DOCKER_CERT_PATH", "DOCKER_CONTEXT", "DOCKER_HOST", "DOCKER_TLS_VERIFY", "GIT_ALTERNATE_OBJECT_DIRECTORIES", "GIT_COMMON_DIR", "GIT_DIR", "GIT_INDEX_FILE", "GIT_NAMESPACE", "GIT_OBJECT_DIRECTORY", "GIT_SSL_CAINFO", "GIT_SSL_CAPATH", "GIT_SSL_NO_VERIFY", "GIT_WORK_TREE", "GOENV", "GONOPROXY", "GONOSUMCHECK", "GONOSUMDB", "GOOGLE_APPLICATION_CREDENTIALS", "GOPATH", "GOPRIVATE", "GOPROXY", "HELM_HOME", "HGRCPATH", "HTTPS_PROXY", "JAVA_OPTS", "KUBECONFIG", "LIBRARY_PATH", "MAKEFLAGS", "MFLAGS", "NODE_EXTRA_CA_CERTS", "NODE_TLS_REJECT_UNAUTHORIZED", "OBJC_INCLUDE_PATH", "PATH", "PIP_CONFIG_FILE", "PIP_EXTRA_INDEX_URL", "PIP_FIND_LINKS", "PIP_INDEX_URL", "PIP_PYPI_URL", "PIP_TRUSTED_HOST", "PYTHONUSERBASE", "REQUESTS_CA_BUNDLE", "RUSTC_WRAPPER", "RUSTFLAGS", "SSL_CERT_DIR", "SSL_CERT_FILE", "UV_DEFAULT_INDEX", "UV_EXTRA_INDEX_URL", "UV_INDEX", "UV_INDEX_URL", "UV_PYTHON", "VIRTUAL_ENV", "YARN_RC_FILENAME", ]); expect(result.rejectedOverrideInvalidKeys).toEqual(["BAD-KEY"]); expect(result.env.SAFE_KEY).toBe("ok"); expect(result.env.PATH).toBe("/usr/bin:/bin"); expect(result.env.CLASSPATH).toBeUndefined(); expect(result.env.CXX).toBeUndefined(); expect(result.env.CMAKE_C_COMPILER).toBeUndefined(); expect(result.env.CARGO_BUILD_RUSTC_WRAPPER).toBeUndefined(); expect(result.env.CARGO_REGISTRIES_CRATES_IO_INDEX).toBeUndefined(); expect(result.env.PIP_INDEX_URL).toBeUndefined(); expect(result.env.PIP_PYPI_URL).toBeUndefined(); expect(result.env.PIP_EXTRA_INDEX_URL).toBeUndefined(); expect(result.env.PIP_CONFIG_FILE).toBeUndefined(); expect(result.env.PIP_FIND_LINKS).toBeUndefined(); expect(result.env.PIP_TRUSTED_HOST).toBeUndefined(); expect(result.env.UV_INDEX).toBeUndefined(); expect(result.env.UV_INDEX_URL).toBeUndefined(); expect(result.env.UV_PYTHON).toBeUndefined(); expect(result.env.UV_DEFAULT_INDEX).toBeUndefined(); expect(result.env.UV_EXTRA_INDEX_URL).toBeUndefined(); expect(result.env.KUBECONFIG).toBeUndefined(); expect(result.env.GOOGLE_APPLICATION_CREDENTIALS).toBeUndefined(); expect(result.env.AWS_SHARED_CREDENTIALS_FILE).toBeUndefined(); expect(result.env.AWS_WEB_IDENTITY_TOKEN_FILE).toBeUndefined(); expect(result.env.AZURE_AUTH_LOCATION).toBeUndefined(); expect(result.env.GIT_SSL_NO_VERIFY).toBeUndefined(); expect(result.env.GIT_SSL_CAINFO).toBeUndefined(); expect(result.env.GIT_SSL_CAPATH).toBeUndefined(); expect(result.env.DOCKER_HOST).toBeUndefined(); expect(result.env.DOCKER_TLS_VERIFY).toBeUndefined(); expect(result.env.DOCKER_CERT_PATH).toBeUndefined(); expect(result.env.DOCKER_CONTEXT).toBeUndefined(); expect(result.env.LIBRARY_PATH).toBeUndefined(); expect(result.env.CPATH).toBeUndefined(); expect(result.env.C_INCLUDE_PATH).toBeUndefined(); expect(result.env.CPLUS_INCLUDE_PATH).toBeUndefined(); expect(result.env.OBJC_INCLUDE_PATH).toBeUndefined(); expect(result.env.NODE_EXTRA_CA_CERTS).toBeUndefined(); expect(result.env.SSL_CERT_FILE).toBeUndefined(); expect(result.env.SSL_CERT_DIR).toBeUndefined(); expect(result.env.REQUESTS_CA_BUNDLE).toBeUndefined(); expect(result.env.CURL_CA_BUNDLE).toBeUndefined(); expect(result.env.GIT_DIR).toBeUndefined(); expect(result.env.GIT_WORK_TREE).toBeUndefined(); expect(result.env.GIT_COMMON_DIR).toBeUndefined(); expect(result.env.GIT_INDEX_FILE).toBeUndefined(); expect(result.env.GIT_ALTERNATE_OBJECT_DIRECTORIES).toBeUndefined(); expect(result.env.GIT_OBJECT_DIRECTORY).toBeUndefined(); expect(result.env.GIT_NAMESPACE).toBeUndefined(); expect(result.env.GOPROXY).toBeUndefined(); expect(result.env.GONOSUMCHECK).toBeUndefined(); expect(result.env.GONOSUMDB).toBeUndefined(); expect(result.env.GONOPROXY).toBeUndefined(); expect(result.env.GOPRIVATE).toBeUndefined(); expect(result.env.GOENV).toBeUndefined(); expect(result.env.GOPATH).toBeUndefined(); expect(result.env.CARGO_HOME).toBeUndefined(); expect(result.env.HGRCPATH).toBeUndefined(); expect(result.env.HELM_HOME).toBeUndefined(); expect(result.env.HTTPS_PROXY).toBeUndefined(); expect(result.env.JAVA_OPTS).toBeUndefined(); expect(result.env.MAKEFLAGS).toBeUndefined(); expect(result.env.MFLAGS).toBeUndefined(); expect(result.env.NODE_TLS_REJECT_UNAUTHORIZED).toBeUndefined(); expect(result.env.PYTHONUSERBASE).toBeUndefined(); expect(result.env.RUSTC_WRAPPER).toBeUndefined(); expect(result.env.RUSTFLAGS).toBeUndefined(); expect(result.env.VIRTUAL_ENV).toBeUndefined(); expect(result.env.YARN_RC_FILENAME).toBeUndefined(); }); it("reports newly blocked keys from everywhere and override buckets", () => { const result = sanitizeHostExecEnvWithDiagnostics({ baseEnv: { PATH: "/usr/bin:/bin", }, overrides: { VIMINIT: ":!touch /tmp/pwned", LUA_INIT_5_4: "os.execute('touch /tmp/pwned')", HOSTALIASES: "/tmp/evil-hostaliases", ANSIBLE_CONFIG: "/tmp/evil-ansible.cfg", ANSIBLE_REMOTE_TEMP: "/tmp/evil-ansible-remote", R_LIBS_USER: "/tmp/evil-r-libs-user", TF_CLI_CONFIG_FILE: "/tmp/evil-terraformrc", TF_PLUGIN_CACHE_DIR: "/tmp/evil-tf-plugin-cache", AWS_CONTAINER_CREDENTIALS_FULL_URI: "http://attacker/credentials", AWS_CONTAINER_CREDENTIALS_RELATIVE_URI: "/attacker-credentials", GITHUB_TOKEN: "ghp-test", DATABASE_URL: "postgres://attacker", R_PROFILE_USER: "/tmp/evil-Rprofile", XDG_CONFIG_DIRS: "/tmp/evil-config-dirs", TF_VAR_admin_cidr: "10.0.0.0/24", SAFE_KEY: "ok", }, }); expect(result.rejectedOverrideBlockedKeys).toEqual([ "ANSIBLE_CONFIG", "ANSIBLE_REMOTE_TEMP", "AWS_CONTAINER_CREDENTIALS_FULL_URI", "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI", "DATABASE_URL", "GITHUB_TOKEN", "HOSTALIASES", "LUA_INIT_5_4", "R_LIBS_USER", "R_PROFILE_USER", "TF_CLI_CONFIG_FILE", "TF_PLUGIN_CACHE_DIR", "TF_VAR_ADMIN_CIDR", "VIMINIT", "XDG_CONFIG_DIRS", ]); expect(result.rejectedOverrideInvalidKeys).toEqual([]); expect(result.env.SAFE_KEY).toBe("ok"); expect(result.env.VIMINIT).toBeUndefined(); expect(result.env.LUA_INIT_5_4).toBeUndefined(); expect(result.env.HOSTALIASES).toBeUndefined(); expect(result.env.ANSIBLE_CONFIG).toBeUndefined(); expect(result.env.ANSIBLE_REMOTE_TEMP).toBeUndefined(); expect(result.env.R_LIBS_USER).toBeUndefined(); expect(result.env.TF_CLI_CONFIG_FILE).toBeUndefined(); expect(result.env.TF_PLUGIN_CACHE_DIR).toBeUndefined(); expect(result.env.GITHUB_TOKEN).toBeUndefined(); expect(result.env.DATABASE_URL).toBeUndefined(); expect(result.env.R_PROFILE_USER).toBeUndefined(); expect(result.env.XDG_CONFIG_DIRS).toBeUndefined(); expect(result.env.TF_VAR_admin_cidr).toBeUndefined(); }); it("allows Windows-style override names while still rejecting invalid keys", () => { const result = sanitizeHostExecEnvWithDiagnostics({ baseEnv: { PATH: "/usr/bin:/bin", "ProgramFiles(x86)": "C:\\Program Files (x86)", }, overrides: { "ProgramFiles(x86)": "D:\\SDKs", "BAD-KEY": "bad", }, }); expect(result.rejectedOverrideBlockedKeys).toEqual([]); expect(result.rejectedOverrideInvalidKeys).toEqual(["BAD-KEY"]); expect(result.env["ProgramFiles(x86)"]).toBe("D:\\SDKs"); }); }); describe("normalizeEnvVarKey", () => { it("normalizes and validates keys", () => { expect(normalizeEnvVarKey(" OPENROUTER_API_KEY ")).toBe("OPENROUTER_API_KEY"); expect(normalizeEnvVarKey("NOT-PORTABLE", { portable: true })).toBeNull(); expect(normalizeEnvVarKey(" BASH_FUNC_echo%% ")).toBe("BASH_FUNC_echo%%"); expect(normalizeEnvVarKey(" ")).toBeNull(); }); }); describe("sanitizeSystemRunEnvOverrides", () => { it("keeps overrides for non-shell commands", () => { const overrides = sanitizeSystemRunEnvOverrides({ shellWrapper: false, overrides: { OPENCLAW_TEST: "1", TOKEN: "abc", }, }); expect(overrides).toEqual({ OPENCLAW_TEST: "1", TOKEN: "abc", }); }); it("drops non-allowlisted overrides for shell wrappers", () => { const overrides = sanitizeSystemRunEnvOverrides({ shellWrapper: true, overrides: { OPENCLAW_TEST: "1", TOKEN: "abc", LANG: "C", LC_ALL: "C", LC_TIME: "C", }, }); expect(overrides).toEqual({ LANG: "C", LC_ALL: "C", LC_TIME: "C", }); }); it("returns undefined when no shell-wrapper overrides survive", () => { expect( sanitizeSystemRunEnvOverrides({ shellWrapper: true, overrides: { TOKEN: "abc", }, }), ).toBeUndefined(); expect(sanitizeSystemRunEnvOverrides({ shellWrapper: true })).toBeUndefined(); }); it("keeps allowlisted shell-wrapper overrides case-insensitively", () => { expect( sanitizeSystemRunEnvOverrides({ shellWrapper: true, overrides: { lang: "C", ColorTerm: "truecolor", lc_numeric: "C", }, }), ).toEqual({ lang: "C", ColorTerm: "truecolor", lc_numeric: "C", }); }); }); describe("shell wrapper exploit regression", () => { it("blocks SHELLOPTS/PS4 chain after sanitization", async () => { const bashPath = "/bin/bash"; if (process.platform === "win32" || !fs.existsSync(bashPath)) { return; } const marker = path.join(os.tmpdir(), `openclaw-ps4-marker-${process.pid}-${Date.now()}`); try { fs.unlinkSync(marker); } catch { // no-op } const filteredOverrides = sanitizeSystemRunEnvOverrides({ shellWrapper: true, overrides: { SHELLOPTS: "xtrace", PS4: `$(touch ${marker})`, }, }); const env = sanitizeHostExecEnv({ overrides: filteredOverrides, baseEnv: { PATH: process.env.PATH ?? "/usr/bin:/bin", }, }); await new Promise((resolve, reject) => { const child = spawn(bashPath, ["-lc", "echo SAFE"], { env, stdio: "ignore" }); child.once("error", reject); child.once("close", () => resolve()); }); expect(fs.existsSync(marker)).toBe(false); }); }); describe("git env exploit regression", () => { it("blocks inherited GIT_SEQUENCE_EDITOR so git rebase -i cannot execute helper payloads", async () => { const gitPath = getSystemGitPath(); if (!gitPath) { return; } const repoDir = fs.mkdtempSync( path.join(os.tmpdir(), `openclaw-git-sequence-editor-${process.pid}-${Date.now()}-`), ); const safeRepoDir = fs.mkdtempSync( path.join(os.tmpdir(), `openclaw-git-sequence-editor-safe-${process.pid}-${Date.now()}-`), ); const editorPath = path.join(repoDir, "sequence-editor.sh"); const safeEditorPath = path.join(safeRepoDir, "sequence-editor.sh"); const marker = path.join( os.tmpdir(), `openclaw-git-sequence-editor-marker-${process.pid}-${Date.now()}`, ); try { await initGitRepoWithCommits(gitPath, repoDir, 2); await initGitRepoWithCommits(gitPath, safeRepoDir, 2); clearMarker(marker); fs.writeFileSync(editorPath, `#!/bin/sh\ntouch ${JSON.stringify(marker)}\n`, "utf8"); fs.chmodSync(editorPath, 0o755); fs.writeFileSync(safeEditorPath, `#!/bin/sh\ntouch ${JSON.stringify(marker)}\n`, "utf8"); fs.chmodSync(safeEditorPath, 0o755); const unsafeEnv = { PATH: process.env.PATH ?? "/usr/bin:/bin", GIT_SEQUENCE_EDITOR: editorPath, GIT_TERMINAL_PROMPT: "0", }; await runGitCommand(gitPath, ["-C", repoDir, "rebase", "-i", "HEAD~1"], { env: unsafeEnv, }); expect(fs.existsSync(marker)).toBe(true); clearMarker(marker); const safeEnv = sanitizeHostExecEnv({ baseEnv: { PATH: process.env.PATH ?? "/usr/bin:/bin", GIT_SEQUENCE_EDITOR: safeEditorPath, GIT_TERMINAL_PROMPT: "0", }, }); await runGitCommand(gitPath, ["-C", safeRepoDir, "rebase", "-i", "HEAD~1"], { env: safeEnv, }); expect(fs.existsSync(marker)).toBe(false); } finally { fs.rmSync(repoDir, { recursive: true, force: true }); fs.rmSync(safeRepoDir, { recursive: true, force: true }); fs.rmSync(marker, { force: true }); } }); it("blocks inherited GIT_EXEC_PATH so git cannot execute helper payloads", async () => { const gitPath = getSystemGitPath(); if (!gitPath) { return; } const helperDir = fs.mkdtempSync( path.join(os.tmpdir(), `openclaw-git-exec-path-${process.pid}-${Date.now()}-`), ); const helperPath = path.join(helperDir, "git-remote-https"); const marker = path.join( os.tmpdir(), `openclaw-git-exec-path-marker-${process.pid}-${Date.now()}`, ); try { clearMarker(marker); fs.writeFileSync(helperPath, `#!/bin/sh\ntouch ${JSON.stringify(marker)}\nexit 1\n`, "utf8"); fs.chmodSync(helperPath, 0o755); const target = "https://127.0.0.1:1/does-not-matter"; const unsafeEnv = { PATH: process.env.PATH ?? "/usr/bin:/bin", GIT_EXEC_PATH: helperDir, GIT_TERMINAL_PROMPT: "0", }; await runGitLsRemote(gitPath, target, unsafeEnv); expect(fs.existsSync(marker)).toBe(true); clearMarker(marker); const safeEnv = sanitizeHostExecEnv({ baseEnv: unsafeEnv, }); await runGitLsRemote(gitPath, target, safeEnv); expect(fs.existsSync(marker)).toBe(false); } finally { fs.rmSync(helperDir, { recursive: true, force: true }); fs.rmSync(marker, { force: true }); } }); it("blocks inherited GIT_TEMPLATE_DIR so git clone cannot install hook payloads", async () => { const gitPath = getSystemGitPath(); if (!gitPath) { return; } const repoDir = fs.mkdtempSync( path.join(os.tmpdir(), `openclaw-git-template-source-${process.pid}-${Date.now()}-`), ); const cloneDir = path.join( os.tmpdir(), `openclaw-git-template-clone-${process.pid}-${Date.now()}`, ); const safeCloneDir = path.join( os.tmpdir(), `openclaw-git-template-safe-clone-${process.pid}-${Date.now()}`, ); const templateDir = fs.mkdtempSync( path.join(os.tmpdir(), `openclaw-git-template-dir-${process.pid}-${Date.now()}-`), ); const hooksDir = path.join(templateDir, "hooks"); const marker = path.join( os.tmpdir(), `openclaw-git-template-marker-${process.pid}-${Date.now()}`, ); try { fs.mkdirSync(hooksDir, { recursive: true }); clearMarker(marker); fs.writeFileSync( path.join(hooksDir, "post-checkout"), `#!/bin/sh\ntouch ${JSON.stringify(marker)}\n`, "utf8", ); fs.chmodSync(path.join(hooksDir, "post-checkout"), 0o755); await runGitCommand(gitPath, ["init", repoDir]); await runGitCommand( gitPath, [ "-C", repoDir, "-c", "user.name=OpenClaw Test", "-c", "user.email=test@example.com", "commit", "--allow-empty", "-m", "init", ], { env: { PATH: process.env.PATH ?? "/usr/bin:/bin", }, }, ); const unsafeEnv = { PATH: process.env.PATH ?? "/usr/bin:/bin", GIT_TEMPLATE_DIR: templateDir, GIT_TERMINAL_PROMPT: "0", }; await runGitClone(gitPath, repoDir, cloneDir, unsafeEnv); expect(fs.existsSync(marker)).toBe(true); clearMarker(marker); const safeEnv = sanitizeHostExecEnv({ baseEnv: unsafeEnv, }); await runGitClone(gitPath, repoDir, safeCloneDir, safeEnv); expect(fs.existsSync(marker)).toBe(false); } finally { fs.rmSync(repoDir, { recursive: true, force: true }); fs.rmSync(cloneDir, { recursive: true, force: true }); fs.rmSync(safeCloneDir, { recursive: true, force: true }); fs.rmSync(templateDir, { recursive: true, force: true }); fs.rmSync(marker, { force: true }); } }); it("blocks GIT_SSH_COMMAND override so git cannot execute helper payloads", async () => { const gitPath = getSystemGitPath(); if (!gitPath) { return; } const marker = path.join(os.tmpdir(), `openclaw-git-ssh-command-${process.pid}-${Date.now()}`); clearMarker(marker); const target = "ssh://127.0.0.1:1/does-not-matter"; const exploitValue = `touch ${JSON.stringify(marker)}; false`; const baseEnv = { PATH: process.env.PATH ?? "/usr/bin:/bin", GIT_TERMINAL_PROMPT: "0", }; const unsafeEnv = { ...baseEnv, GIT_SSH_COMMAND: exploitValue, }; await runGitLsRemote(gitPath, target, unsafeEnv); expect(fs.existsSync(marker)).toBe(true); clearMarker(marker); const safeEnv = sanitizeHostExecEnv({ baseEnv, overrides: { GIT_SSH_COMMAND: exploitValue, }, }); await runGitLsRemote(gitPath, target, safeEnv); expect(fs.existsSync(marker)).toBe(false); }); }); describe("compiler override exploit regression", () => { it("blocks CC overrides so make cannot execute a substituted compiler", async () => { const makePath = getSystemMakePath(); if (!makePath) { return; } const tempDir = fs.mkdtempSync( path.join(os.tmpdir(), `openclaw-compiler-override-${process.pid}-${Date.now()}-`), ); const exploitPath = path.join(tempDir, "evil-cc"); const marker = path.join( os.tmpdir(), `openclaw-compiler-override-marker-${process.pid}-${Date.now()}`, ); try { // `CC` is a representative proof for the whole class because all compiler override keys // flow through the same host env sanitization boundary; unit tests cover the sibling keys. clearMarker(marker); fs.writeFileSync( path.join(tempDir, "Makefile"), "all:\n\t@$(CC) --version >/dev/null 2>&1 || true\n", "utf8", ); fs.writeFileSync(exploitPath, `#!/bin/sh\ntouch ${JSON.stringify(marker)}\nexit 1\n`, "utf8"); fs.chmodSync(exploitPath, 0o755); const baseEnv = { PATH: process.env.PATH ?? "/usr/bin:/bin", }; await runMakeCommand(makePath, tempDir, { ...baseEnv, CC: exploitPath, }); expect(fs.existsSync(marker)).toBe(true); clearMarker(marker); const safeEnv = sanitizeHostExecEnv({ baseEnv, overrides: { CC: exploitPath, }, }); await runMakeCommand(makePath, tempDir, safeEnv); expect(fs.existsSync(marker)).toBe(false); } finally { fs.rmSync(tempDir, { recursive: true, force: true }); fs.rmSync(marker, { force: true }); } }); }); describe("make env exploit regression", () => { it("blocks MAKEFLAGS overrides so make cannot evaluate shell payloads from env", async () => { const makePath = getSystemMakePath(); if (!makePath) { return; } const tempDir = fs.mkdtempSync( path.join(os.tmpdir(), `openclaw-makeflags-override-${process.pid}-${Date.now()}-`), ); const exploitPath = path.join(tempDir, "evil-makeflags.sh"); const marker = path.join(os.tmpdir(), `openclaw-makeflags-marker-${process.pid}-${Date.now()}`); try { clearMarker(marker); fs.writeFileSync(path.join(tempDir, "Makefile"), "all:\n\t@:\n", "utf8"); fs.writeFileSync(exploitPath, `#!/bin/sh\ntouch ${JSON.stringify(marker)}\n`, "utf8"); fs.chmodSync(exploitPath, 0o755); const exploitValue = `--eval=$(shell ${exploitPath})`; const baseEnv = { PATH: process.env.PATH ?? "/usr/bin:/bin", }; await runMakeCommand(makePath, tempDir, { ...baseEnv, MAKEFLAGS: exploitValue, }); const baselineTriggered = fs.existsSync(marker); clearMarker(marker); const safeEnv = sanitizeHostExecEnv({ baseEnv, overrides: { MAKEFLAGS: exploitValue, }, }); expect(safeEnv.MAKEFLAGS).toBeUndefined(); await runMakeCommand(makePath, tempDir, safeEnv); expect(fs.existsSync(marker)).toBe(false); expect(typeof baselineTriggered).toBe("boolean"); } finally { fs.rmSync(tempDir, { recursive: true, force: true }); fs.rmSync(marker, { force: true }); } }); });