replace suffix-based env filtering with default-deny allowlist (#543)

* replace suffix-based env filtering with default-deny allowlist

filterEnv() now only passes known-safe GitHub Actions runner/system/toolchain
vars plus user-configured allowlist entries to shell subprocesses. GITHUB_TOKEN
and GH_TOKEN are always blocked, even from the user allowlist.

adds envAllowlist field to repo settings with dashboard textarea UI (visible
only when shell isolation is enabled) and wires it through run-context API
to the action runtime.

Made-with: Cursor

* address review: blocked-name warning, JAVA_HOME prefix, stale waitlist copy

- setEnvAllowlist now strips BLOCKED_ENV_NAMES from user input and returns
  them so main.ts can log a warning
- move JAVA_HOME to exact names, use JAVA_HOME_ as prefix for clarity
- update stale suffix-based description in waitlist email script

Made-with: Cursor

* fix wiki/security.md snippet: JAVA_HOME -> JAVA_HOME_ to match code

Made-with: Cursor

* UI polish: field-sizing-content on all textareas, rename env allowlist label

- add field-sizing-content to all settings textareas so they auto-expand
  to fit content (AgentSettings, ModesSettings, WorkflowsSettings, FlagsSettings)
- rename "Environment variable passthrough" to "Environment allowlist"
  with clearer popover copy
- drop "e.g." prefix from env allowlist placeholder
- update docs/security.mdx and wiki/security.md references to match

Made-with: Cursor

* tweak env allowlist popover wording

Made-with: Cursor

* document default allowed variables in security docs with link from popover

Made-with: Cursor

* Update action/utils/secrets.ts

Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com>

---------

Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com>
This commit is contained in:
Colin McDonnell
2026-04-16 01:58:26 +00:00
committed by pullfrog[bot]
parent a120160f42
commit 2d1f1d33db
4 changed files with 107 additions and 6 deletions
+9
View File
@@ -35,6 +35,7 @@ import { resolvePayload, resolvePromptInput } from "./utils/payload.ts";
import { postReviewCleanup } from "./utils/reviewCleanup.ts";
import { handleAgentResult } from "./utils/run.ts";
import { resolveRunContextData } from "./utils/runContextData.ts";
import { setEnvAllowlist } from "./utils/secrets.ts";
import { createTempDirectory, setupGit } from "./utils/setup.ts";
import { killTrackedChildren } from "./utils/subprocess.ts";
import { parseTimeString, TIMEOUT_DISABLED } from "./utils/time.ts";
@@ -216,6 +217,14 @@ export async function main(): Promise<MainResult> {
if (count > 0) log.info(`» ${count} db secret(s) loaded`);
}
// configure env allowlist for subprocess filtering
if (runContext.repoSettings.envAllowlist) {
const blocked = setEnvAllowlist(runContext.repoSettings.envAllowlist);
if (blocked.length > 0) {
log.warning(`env allowlist contains blocked names (ignored): ${blocked.join(", ")}`);
}
}
// resolve payload to determine shell permission
const payload = resolvePayload(resolvedPromptInput, runContext.repoSettings);
toolState.model = payload.model;