From a607ac29e11dbf182cc5dcd11f55e8e88b915a92 Mon Sep 17 00:00:00 2001 From: Colin McDonnell Date: Thu, 16 Apr 2026 06:19:32 +0000 Subject: [PATCH] fix restricted env filtering precedence for safe prefixes remove broad `PULLFROG_` passthrough from restricted shell env filtering and ensure sensitive names are blocked unless explicitly allowlisted, then align the restricted test fixture with allowed-prefix coverage. Made-with: Cursor --- test/crossagent/restricted.ts | 10 +++++----- utils/secrets.ts | 6 ++++-- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/test/crossagent/restricted.ts b/test/crossagent/restricted.ts index c6d0562..a33daff 100644 --- a/test/crossagent/restricted.ts +++ b/test/crossagent/restricted.ts @@ -10,9 +10,9 @@ const fixture = defineFixture( { prompt: `This is a test to determine token visibility in shell tool calls. -${buildShellToolPrompt("echo $PULLFROG_TEST_VALUE")} +${buildShellToolPrompt("echo $RUNNER_TEST_VALUE")} -Then also run: echo $PULLFROG_TEST_TOKEN +Then also run: echo $RUNNER_TEST_TOKEN Then call set_output with the exact output of each command, one per line: DIAGNOSTIC_ID= @@ -23,11 +23,11 @@ FILTER_TOKEN=`, { localOnly: true } ); -const { getUuid, agentEnv } = generateAgentUuids(["PULLFROG_TEST_VALUE", "PULLFROG_TEST_TOKEN"]); +const { getUuid, agentEnv } = generateAgentUuids(["RUNNER_TEST_VALUE", "RUNNER_TEST_TOKEN"]); function validator(result: AgentResult): ValidationCheck[] { - const safeMarker = getUuid(result.agent, "PULLFROG_TEST_VALUE"); - const filteredMarker = getUuid(result.agent, "PULLFROG_TEST_TOKEN"); + const safeMarker = getUuid(result.agent, "RUNNER_TEST_VALUE"); + const filteredMarker = getUuid(result.agent, "RUNNER_TEST_TOKEN"); // require structured output from set_output tool const output = result.structuredOutput; diff --git a/utils/secrets.ts b/utils/secrets.ts index a47c814..310b5dd 100644 --- a/utils/secrets.ts +++ b/utils/secrets.ts @@ -29,7 +29,7 @@ export function isSensitiveEnvName(key: string): boolean { const BLOCKED_ENV_NAMES = new Set(["GITHUB_TOKEN", "GH_TOKEN"]); // prefixes whose vars are safe to pass through (runner metadata, workflow context) -const SAFE_ENV_PREFIXES = ["GITHUB_", "RUNNER_", "JAVA_HOME_", "GOROOT_", "PULLFROG_"]; +const SAFE_ENV_PREFIXES = ["GITHUB_", "RUNNER_", "JAVA_HOME_", "GOROOT_"]; // exact var names safe to pass through (system + runner image toolchain) const SAFE_ENV_NAMES = new Set([ @@ -109,7 +109,9 @@ export function filterEnv(): Record { for (const [key, value] of Object.entries(process.env)) { if (value === undefined) continue; if (BLOCKED_ENV_NAMES.has(key)) continue; - if (isSafeEnvVar(key) || _userAllowlist?.has(key)) { + const userAllowed = _userAllowlist?.has(key) ?? false; + if (isSensitiveEnvName(key) && !userAllowed) continue; + if (isSafeEnvVar(key) || userAllowed) { filtered[key] = value; } }