Allow inherited AWS config file paths

2026-04-24 07:01:49 +00:00 · 2026-03-27 15:12:10 -05:00
parent 8bcab7ec6f
commit 4430805719
3 changed files with 12 additions and 8 deletions
--- a/apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift
+++ b/apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift
@@ -35,8 +35,7 @@ enum HostEnvSecurityPolicy {
        "MAVEN_OPTS",
        "SBT_OPTS",
        "GRADLE_OPTS",
-        "ANT_OPTS",
-        "AWS_CONFIG_FILE"
+        "ANT_OPTS"
    ]

    static let blockedOverrideKeys: Set<String> = [
@@ -81,7 +80,8 @@ enum HostEnvSecurityPolicy {
        "GEM_PATH",
        "BUNDLE_GEMFILE",
        "COMPOSER_HOME",
-        "XDG_CONFIG_HOME"
+        "XDG_CONFIG_HOME",
+        "AWS_CONFIG_FILE"
    ]

    static let blockedOverridePrefixes: [String] = [
--- a/src/infra/host-env-security-policy.json
+++ b/src/infra/host-env-security-policy.json
@@ -29,8 +29,7 @@
    "MAVEN_OPTS",
    "SBT_OPTS",
    "GRADLE_OPTS",
-    "ANT_OPTS",
-    "AWS_CONFIG_FILE"
+    "ANT_OPTS"
  ],
  "blockedOverrideKeys": [
    "HOME",
@@ -74,7 +73,8 @@
    "GEM_PATH",
    "BUNDLE_GEMFILE",
    "COMPOSER_HOME",
-    "XDG_CONFIG_HOME"
+    "XDG_CONFIG_HOME",
+    "AWS_CONFIG_FILE"
  ],
  "blockedOverridePrefixes": ["GIT_CONFIG_", "NPM_CONFIG_"],
  "blockedPrefixes": ["DYLD_", "LD_", "BASH_FUNC_"]
--- a/src/infra/host-env-security.test.ts
+++ b/src/infra/host-env-security.test.ts
@@ -101,8 +101,8 @@ describe("isDangerousHostEnvVarName", () => {
    expect(isDangerousHostEnvVarName("gradle_opts")).toBe(true);
    expect(isDangerousHostEnvVarName("ANT_OPTS")).toBe(true);
    expect(isDangerousHostEnvVarName("ant_opts")).toBe(true);
-    expect(isDangerousHostEnvVarName("AWS_CONFIG_FILE")).toBe(true);
-    expect(isDangerousHostEnvVarName("aws_config_file")).toBe(true);
+    expect(isDangerousHostEnvVarName("AWS_CONFIG_FILE")).toBe(false);
+    expect(isDangerousHostEnvVarName("aws_config_file")).toBe(false);
    expect(isDangerousHostEnvVarName("PATH")).toBe(false);
    expect(isDangerousHostEnvVarName("FOO")).toBe(false);
    expect(isDangerousHostEnvVarName("GRADLE_USER_HOME")).toBe(false);
@@ -126,6 +126,7 @@ describe("sanitizeHostExecEnv", () => {
    expect(env).toEqual({
      OPENCLAW_CLI: OPENCLAW_CLI_ENV_VALUE,
      PATH: "/usr/bin:/bin",
+      AWS_CONFIG_FILE: "/tmp/aws-config",
      OK: "1",
    });
  });
@@ -147,6 +148,7 @@ describe("sanitizeHostExecEnv", () => {
        EDITOR: "/tmp/editor",
        NPM_CONFIG_USERCONFIG: "/tmp/npmrc",
        GIT_CONFIG_GLOBAL: "/tmp/gitconfig",
+        AWS_CONFIG_FILE: "/tmp/override-aws-config",
        SHELLOPTS: "xtrace",
        PS4: "$(touch /tmp/pwned)",
        CLASSPATH: "/tmp/evil-classpath",
@@ -268,6 +270,8 @@ describe("isDangerousHostEnvOverrideVarName", () => {
    expect(isDangerousHostEnvOverrideVarName("coreclr_profiler_path")).toBe(true);
    expect(isDangerousHostEnvOverrideVarName("XDG_CONFIG_HOME")).toBe(true);
    expect(isDangerousHostEnvOverrideVarName("xdg_config_home")).toBe(true);
+    expect(isDangerousHostEnvOverrideVarName("AWS_CONFIG_FILE")).toBe(true);
+    expect(isDangerousHostEnvOverrideVarName("aws_config_file")).toBe(true);
    expect(isDangerousHostEnvOverrideVarName("BASH_ENV")).toBe(false);
    expect(isDangerousHostEnvOverrideVarName("FOO")).toBe(false);
  });