fix: harden host exec env validation (#4896) (thanks @HassanFleyah)

2026-04-03 03:03:24 -04:00 · 2026-02-01 15:35:48 -08:00
parent 0a5821a811
commit a87a07ec8a
4 changed files with 28 additions and 5 deletions
--- a/src/agents/bash-tools.exec.path.test.ts
+++ b/src/agents/bash-tools.exec.path.test.ts
@@ -109,3 +109,17 @@ describe("exec PATH login shell merge", () => {
    expect(shellPathMock).not.toHaveBeenCalled();
  });
 });
+
+describe("exec host env validation", () => {
+  it("blocks LD_/DYLD_ env vars on host execution", async () => {
+    const { createExecTool } = await import("./bash-tools.exec.js");
+    const tool = createExecTool({ host: "gateway", security: "full", ask: "off" });
+
+    await expect(
+      tool.execute("call1", {
+        command: "echo ok",
+        env: { LD_DEBUG: "1" },
+      }),
+    ).rejects.toThrow(/Security Violation: Environment variable 'LD_DEBUG' is forbidden/);
+  });
+});
--- a/src/agents/bash-tools.exec.ts
+++ b/src/agents/bash-tools.exec.ts
@@ -76,6 +76,7 @@ const DANGEROUS_HOST_ENV_VARS = new Set([
  "IFS",
  "SSLKEYLOGFILE",
 ]);
+const DANGEROUS_HOST_ENV_PREFIXES = ["DYLD_", "LD_"];

 // Centralized sanitization helper.
 // Throws an error if dangerous variables or PATH modifications are detected on the host.
@@ -84,6 +85,11 @@ function validateHostEnv(env: Record<string, string>): void {
    const upperKey = key.toUpperCase();

    // 1. Block known dangerous variables (Fail Closed)
+    if (DANGEROUS_HOST_ENV_PREFIXES.some((prefix) => upperKey.startsWith(prefix))) {
+      throw new Error(
+        `Security Violation: Environment variable '${key}' is forbidden during host execution.`,
+      );
+    }
    if (DANGEROUS_HOST_ENV_VARS.has(upperKey)) {
      throw new Error(
        `Security Violation: Environment variable '${key}' is forbidden during host execution.`,