fix restricted env filtering precedence for safe prefixes
remove broad `PULLFROG_` passthrough from restricted shell env filtering and ensure sensitive names are blocked unless explicitly allowlisted, then align the restricted test fixture with allowed-prefix coverage. Made-with: Cursor
This commit is contained in:
committed by
pullfrog[bot]
parent
2d1f1d33db
commit
a607ac29e1
@@ -10,9 +10,9 @@ const fixture = defineFixture(
|
||||
{
|
||||
prompt: `This is a test to determine token visibility in shell tool calls.
|
||||
|
||||
${buildShellToolPrompt("echo $PULLFROG_TEST_VALUE")}
|
||||
${buildShellToolPrompt("echo $RUNNER_TEST_VALUE")}
|
||||
|
||||
Then also run: echo $PULLFROG_TEST_TOKEN
|
||||
Then also run: echo $RUNNER_TEST_TOKEN
|
||||
|
||||
Then call set_output with the exact output of each command, one per line:
|
||||
DIAGNOSTIC_ID=<value or "empty">
|
||||
@@ -23,11 +23,11 @@ FILTER_TOKEN=<value or "empty">`,
|
||||
{ localOnly: true }
|
||||
);
|
||||
|
||||
const { getUuid, agentEnv } = generateAgentUuids(["PULLFROG_TEST_VALUE", "PULLFROG_TEST_TOKEN"]);
|
||||
const { getUuid, agentEnv } = generateAgentUuids(["RUNNER_TEST_VALUE", "RUNNER_TEST_TOKEN"]);
|
||||
|
||||
function validator(result: AgentResult): ValidationCheck[] {
|
||||
const safeMarker = getUuid(result.agent, "PULLFROG_TEST_VALUE");
|
||||
const filteredMarker = getUuid(result.agent, "PULLFROG_TEST_TOKEN");
|
||||
const safeMarker = getUuid(result.agent, "RUNNER_TEST_VALUE");
|
||||
const filteredMarker = getUuid(result.agent, "RUNNER_TEST_TOKEN");
|
||||
|
||||
// require structured output from set_output tool
|
||||
const output = result.structuredOutput;
|
||||
|
||||
+4
-2
@@ -29,7 +29,7 @@ export function isSensitiveEnvName(key: string): boolean {
|
||||
const BLOCKED_ENV_NAMES = new Set(["GITHUB_TOKEN", "GH_TOKEN"]);
|
||||
|
||||
// prefixes whose vars are safe to pass through (runner metadata, workflow context)
|
||||
const SAFE_ENV_PREFIXES = ["GITHUB_", "RUNNER_", "JAVA_HOME_", "GOROOT_", "PULLFROG_"];
|
||||
const SAFE_ENV_PREFIXES = ["GITHUB_", "RUNNER_", "JAVA_HOME_", "GOROOT_"];
|
||||
|
||||
// exact var names safe to pass through (system + runner image toolchain)
|
||||
const SAFE_ENV_NAMES = new Set([
|
||||
@@ -109,7 +109,9 @@ export function filterEnv(): Record<string, string> {
|
||||
for (const [key, value] of Object.entries(process.env)) {
|
||||
if (value === undefined) continue;
|
||||
if (BLOCKED_ENV_NAMES.has(key)) continue;
|
||||
if (isSafeEnvVar(key) || _userAllowlist?.has(key)) {
|
||||
const userAllowed = _userAllowlist?.has(key) ?? false;
|
||||
if (isSensitiveEnvName(key) && !userAllowed) continue;
|
||||
if (isSafeEnvVar(key) || userAllowed) {
|
||||
filtered[key] = value;
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user