fix(security): scrub credential env vars from ShellExecutor subprocess environment#2452
Merged
fix(security): scrub credential env vars from ShellExecutor subprocess environment#2452
Conversation
github-actions
bot
added
bug
…s environment (#2449) Zeph's ShellExecutor inherited the full parent process environment when spawning bash subcommands, exposing any credentials present in the process env (e.g. vars set by the user's shell profile) to arbitrary shell commands executed by the agent. Add `env_blocklist: Vec<String>` to `ShellConfig` (default-on, covers ZEPH_*, AWS_*, AZURE_*, GCP_*, GOOGLE_*, OPENAI_*, ANTHROPIC_*, HF_*, HUGGING*). In `execute_bash`, iterate `std::env::vars()` and call `cmd.env_remove()` for any key matching a blocklist prefix before spawning. Skill `extra_env` vars are injected after scrubbing and are unaffected. Configurable via `[tools.shell] env_blocklist`. Closes #2449
bug-ops
force-pushed
the
2448-security-hardening
branch
from
0762935 to
ac9931d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ShellExecutornow strips credential env vars (matching configurable prefix blocklist) from the subprocess environment before spawningbash -ccommands, preventing exfiltration via arbitrary shell commandsZEPH_*,AWS_*,AZURE_*,GCP_*,GOOGLE_*,OPENAI_*,ANTHROPIC_*,HF_*,HUGGING*[tools.shell] env_blocklist— operators can extend or restrict the listNote: #2448 was closed as already resolved —
crates/zeph-acp/src/transport/auth.rsalready usessubtle::ConstantTimeEqon blake3 digests.Changes
crates/zeph-tools/src/config.rs:env_blocklist: Vec<String>field added toShellConfigwith secure defaultscrates/zeph-tools/src/shell/mod.rs: env scrubbing loop inexecute_bash()before subprocess spawncrates/zeph-tools/src/shell/tests.rs: 5 new tests covering scrubbing, preservation of safe vars, and skill extra_env passthroughTest plan
cargo +nightly fmt --check— passcargo clippy --all-targets --workspace -- -D warnings— passcargo nextest run --workspace --lib --bins— 6731 passed, 0 failedenv_blocklist_strips_sensitive_vars,env_blocklist_preserves_safe_vars,env_blocklist_extra_env_still_injected,env_blocklist_multiple_prefixes,empty_env_blocklist_passes_all_vars