You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Addresses CLC-1591 - Environment Variable Injection vulnerability
This commit implements a comprehensive three-layer security validation
system for environment variables set via context URLs:
1. Variable name blacklist - blocks auto-executing variables like BASH_ENV,
LD_PRELOAD, SUPERVISOR_DOTFILE_REPO, and dangerous patterns
2. Character whitelist - restricts values to safe characters [A-Za-z0-9_\-\.?=]
3. Injection pattern detection - detects command substitution, chaining, etc.
Key features:
- Feature flag support for gradual rollout (disabled by default)
- Comprehensive logging with reason codes for blocked variables
- Backward compatibility when feature flag is disabled
- URL decoding handled before validation to prevent bypass attempts
- Extensive test coverage for all security layers and attack vectors
Files added:
- components/server/src/workspace/envvar-security.ts
- components/server/src/workspace/envvar-security.spec.ts
- DESIGN_ENV_VAR_SECURITY.md
Files modified:
- components/server/src/config.ts (added feature flag configuration)
- components/server/src/workspace/envvar-prefix-context-parser.ts (integrated security validation)
- components/server/src/workspace/envvar-prefix-context-parser.spec.ts (added security tests)
Co-authored-by: Ona <[email protected]>
0 commit comments