Context
PR #2436 added env var sanitization for MCP stdio child processes, filtering LD_PRELOAD, LD_LIBRARY_PATH, DYLD_INSERT_LIBRARIES, DYLD_LIBRARY_PATH, _RLD_LIST, and SHLIB_PATH.
Gap
The following dangerous env vars are NOT currently filtered:
PATH — can redirect binary execution to attacker-controlled pathsHTTP_PROXY, HTTPS_PROXY, ALL_PROXY, NO_PROXY — can redirect network traffic through attacker-controlled proxiesBASH_ENV, ENV — executed by bash/sh on startupPYTHONPATH, NODE_PATH, RUBYLIB — can inject attacker-controlled modules into interpreted runtimes
Fix
Add these vars to the is_dangerous_env_var() blocklist in crates/zeph-acp/src/mcp_bridge.rs.
For PATH: either strip entirely and pass a minimal safe PATH, or allowlist known-safe system paths.
Related
Context
PR #2436 added env var sanitization for MCP stdio child processes, filtering
LD_PRELOAD,LD_LIBRARY_PATH,DYLD_INSERT_LIBRARIES,DYLD_LIBRARY_PATH,_RLD_LIST, andSHLIB_PATH.Gap
The following dangerous env vars are NOT currently filtered:
PATH— can redirect binary execution to attacker-controlled pathsHTTP_PROXY,HTTPS_PROXY,ALL_PROXY,NO_PROXY— can redirect network traffic through attacker-controlled proxiesBASH_ENV,ENV— executed by bash/sh on startupPYTHONPATH,NODE_PATH,RUBYLIB— can inject attacker-controlled modules into interpreted runtimesFix
Add these vars to the
is_dangerous_env_var()blocklist incrates/zeph-acp/src/mcp_bridge.rs.For
PATH: either strip entirely and pass a minimal safe PATH, or allowlist known-safe system paths.Related