fix(exec): block proxy-style env overrides (#58202)

* fix(exec): block proxy-style env overrides * fix(exec): keep trusted host proxy env inherited * fix(exec): block git tls override env vars * fix(skills): block dangerous env override keys
2026-04-26 16:06:16 +00:00 · 2026-03-31 21:25:36 +09:00
parent 28bb8c600e
commit 4d912e0451
7 changed files with 187 additions and 2 deletions
--- a/apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift
+++ b/apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift
@@ -22,6 +22,9 @@ enum HostEnvSecurityPolicy {
        "GIT_EXEC_PATH",
        "GIT_SEQUENCE_EDITOR",
        "GIT_TEMPLATE_DIR",
+        "GIT_SSL_NO_VERIFY",
+        "GIT_SSL_CAINFO",
+        "GIT_SSL_CAPATH",
        "CC",
        "CXX",
        "CARGO_BUILD_RUSTC",
@@ -54,6 +57,9 @@ enum HostEnvSecurityPolicy {
        "GIT_SSH",
        "GIT_PROXY_COMMAND",
        "GIT_ASKPASS",
+        "GIT_SSL_NO_VERIFY",
+        "GIT_SSL_CAINFO",
+        "GIT_SSL_CAPATH",
        "SSH_ASKPASS",
        "LESSOPEN",
        "LESSCLOSE",
@@ -82,6 +88,19 @@ enum HostEnvSecurityPolicy {
        "PHP_INI_SCAN_DIR",
        "DENO_DIR",
        "BUN_CONFIG_REGISTRY",
+        "HTTP_PROXY",
+        "HTTPS_PROXY",
+        "ALL_PROXY",
+        "NO_PROXY",
+        "NODE_TLS_REJECT_UNAUTHORIZED",
+        "NODE_EXTRA_CA_CERTS",
+        "SSL_CERT_FILE",
+        "SSL_CERT_DIR",
+        "REQUESTS_CA_BUNDLE",
+        "CURL_CA_BUNDLE",
+        "DOCKER_HOST",
+        "DOCKER_TLS_VERIFY",
+        "DOCKER_CERT_PATH",
        "PIP_INDEX_URL",
        "PIP_PYPI_URL",
        "PIP_EXTRA_INDEX_URL",