refactor: consolidate envvar security validation and use feature flags

Refactors the environment variable injection security fix based on feedback:

1. Consolidates EnvVarSecurity into EnvvarSanitization namespace within
   envvar-prefix-context-parser.ts instead of standalone module
2. Replaces config-based feature flag with workspace feature flag
   'envvar_context_validation' in user.featureFlags.permanentWSFeatureFlags
3. Consolidates all tests into single test file with two test suites:
   - TestEnvvarPrefixParser (integration tests)
   - TestEnvvarSanitization (unit tests)

Changes:
- Added 'envvar_context_validation' to WorkspaceFeatureFlags in protocol.ts
- Moved security validation logic into EnvvarSanitization namespace
- Updated parser to check user feature flags instead of config
- Removed standalone envvar-security.ts and envvar-security.spec.ts files
- Removed envvarContextValidation from config.ts
- Updated design document to reflect refactored architecture

The security functionality remains identical - three-layer validation with
backward compatibility when feature flag is disabled.

Co-authored-by: Ona <[email protected]>

Author: geropl

DESIGN_ENV_VAR_SECURITY.md

@@ -3,7 +3,7 @@
 **Issue**: CLC-1591 - Environment Variable Injection Leads to Private Repo Content Exfiltration
 **CVSS**: 8.0 (High) - Cross-origin attackers can inject environment variables leading to command execution
 ****Date**: 2025-01-22
-**Status**: Phase 1 Implementation Complete
+**Status**: Phase 1 Refactored - Feature Flag Implementation
 
 ## Problem Statement
 
@@ -384,23 +384,28 @@ Verify legitimate use cases continue to work:
 
 ## Implementation Progress
 
-### Phase 1: Core Implementation ✅ COMPLETE
-**Status**: Implemented and ready for testing
-**Files Created/Modified**:
-- ✅ `components/server/src/workspace/envvar-security.ts` - Core security validation module
-- ✅ `components/server/src/config.ts` - Added feature flag configuration
-- ✅ `components/server/src/workspace/envvar-prefix-context-parser.ts` - Integrated security validation
-- ✅ `components/server/src/workspace/envvar-security.spec.ts` - Comprehensive unit tests
-- ✅ `components/server/src/workspace/envvar-prefix-context-parser.spec.ts` - Enhanced integration tests
+### Phase 1: Core Implementation ✅ COMPLETE (Refactored)
+**Status**: Refactored to use workspace feature flags and consolidated architecture
+**Files Modified**:
+- ✅ `components/gitpod-protocol/src/protocol.ts` - Added `envvar_context_validation` feature flag
+- ✅ `components/server/src/workspace/envvar-prefix-context-parser.ts` - Integrated `EnvvarSanitization` namespace
+- ✅ `components/server/src/workspace/envvar-prefix-context-parser.spec.ts` - Consolidated all tests
+- ✅ `components/server/src/config.ts` - Removed config-based feature flag
+
+**Refactoring Changes**:
+- **Consolidated Architecture**: Moved security validation into `EnvvarSanitization` namespace within the main parser file
+- **Feature Flag Implementation**: Replaced config-based flag with workspace feature flag `envvar_context_validation`
+- **Test Consolidation**: Combined all tests into single test file with two test suites
+- **Simplified Dependencies**: Removed standalone security module and config dependency
 
 **Implementation Details**:
-- **Three-layer security validation** implemented as designed:
+- **Three-layer security validation** implemented in `EnvvarSanitization` namespace:
   1. Variable name blacklist (auto-executing variables)
   2. Character whitelist for values `[A-Za-z0-9_\-\.?=]`
   3. Injection pattern detection (command substitution, chaining, etc.)
-- **Feature flag support** with backward compatibility (disabled by default)
+- **Workspace feature flag**: `envvar_context_validation` in user's `permanentWSFeatureFlags`
+- **Backward compatibility**: Feature disabled by default, only enabled when user has the feature flag
 - **Comprehensive logging** for blocked variables with reason codes
-- **Dependency injection** properly configured with Config service
 - **URL decoding** handled before validation to prevent bypass attempts
 
 **Security Coverage**:
@@ -412,19 +417,20 @@ Verify legitimate use cases continue to work:
 - ✅ Command injection patterns detected: `$(...)`, `|cmd`, `;cmd`, `&&cmd`
 
 **Testing Coverage**:
-- ✅ Unit tests for all security validation layers
-- ✅ Integration tests with feature flag scenarios
+- ✅ `TestEnvvarPrefixParser` suite: Integration tests with feature flag scenarios
+- ✅ `TestEnvvarSanitization` suite: Unit tests for all security validation layers
 - ✅ Attack vector validation tests
 - ✅ Legitimate use case preservation tests
 - ✅ URL encoding/decoding edge cases
+- ✅ Feature flag enabled/disabled behavior tests
 
 ### Next Steps: Phase 2 - Testing & Validation
 **Planned Activities**:
 1. Build and run test suite in proper environment
 2. Validate all attack vectors are blocked
 3. Confirm legitimate use cases work
 4. Performance testing of validation overhead
-5. Prepare for gradual rollout
+5. Configure feature flag rollout strategy
 
 ## Security Review
 
@@ -438,7 +444,9 @@ The solution is conservative by design, prioritizing security over convenience f
 
 **Phase 1 Implementation Validation**:
 - ✅ All security layers implemented as specified
-- ✅ Feature flag system properly integrated
-- ✅ Comprehensive test coverage created
+- ✅ Workspace feature flag system properly integrated
+- ✅ Comprehensive test coverage created and consolidated
 - ✅ Backward compatibility maintained
 - ✅ Logging and monitoring integrated
+- ✅ Architecture simplified and consolidated
+- ✅ Dependencies reduced (no standalone security module)

components/gitpod-protocol/src/protocol.ts

@@ -224,6 +224,7 @@ export const WorkspaceFeatureFlags = {
     workspace_connection_limiting: undefined,
     workspace_psi: undefined,
     ssh_ca: undefined,
+    envvar_context_validation: undefined,
 };
 export type NamedWorkspaceFeatureFlag = keyof typeof WorkspaceFeatureFlags;
 export namespace NamedWorkspaceFeatureFlag {

components/server/src/config.ts

@@ -274,14 +274,6 @@ export interface ConfigSerialized {
 
     /** true if this is a Dedicated */
     isDedicatedInstallation: boolean;
-
-    /**
-     * Environment variable context validation configuration
-     * Controls security validation of environment variables set via context URLs
-     */
-    envvarContextValidation?: {
-        enabled: boolean;
-    };
 }
 
 export interface CookieConfig {