Skip to content

fix(sandbox): sanitize Docker env before marking OPENCLAW_CLI#42256

Merged
vincentkoc merged 6 commits intomainfrom
vincentkoc-code/docker-env-marker-sanitize-order
Mar 11, 2026
Merged

fix(sandbox): sanitize Docker env before marking OPENCLAW_CLI#42256
vincentkoc merged 6 commits intomainfrom
vincentkoc-code/docker-env-marker-sanitize-order

Conversation

@vincentkoc
Copy link
Copy Markdown
Member

@vincentkoc vincentkoc commented Mar 10, 2026
edited
Loading

Summary

  • Problem: the Docker sandbox path injected OPENCLAW_CLI before env sanitization, unlike the other execution paths from feat(exec): mark child command env with OPENCLAW_CLI #41411.
  • Why it matters: if this call site ever enables strictMode, the sanitizer would block the marker and log it as a blocked variable; on Windows, Docker also allowed a shell: true fallback for unresolved wrapper shims.
  • What changed: Docker env sanitization now runs on user-provided env first, then markOpenClawExecEnv is applied immediately before emitting --env args; Docker Windows resolution now refuses shell fallback and requires a direct executable or resolvable Node entrypoint; the regression tests now cover the strict-mode integration path and unresolved Windows wrapper rejection.
  • What did NOT change (scope boundary): no allowlist changes, no new env vars, and no behavior changes outside Docker sandbox arg construction/spawn resolution.

Change Type (select all)

  • Bug fix
  • Feature
  • Refactor
  • Docs
  • Security hardening
  • Chore/infra

Scope (select all touched areas)

  • Gateway / orchestration
  • Skills / tool execution
  • Auth / tokens
  • Memory / storage
  • Integrations
  • API / contracts
  • UI / DX
  • CI/CD / infra

Linked Issue/PR

User-visible / Behavior Changes

  • On Windows, Docker sandbox startup now fails fast instead of shelling out through an unresolved docker.cmd/.bat wrapper.

Security Impact (required)

  • New permissions/capabilities? (No)
  • Secrets/tokens handling changed? (No)
  • New/changed network calls? (No)
  • Command/tool execution surface changed? (Yes)
  • Data access scope changed? (No)
  • If any Yes, explain risk + mitigation: Docker no longer permits Windows shell fallback, which removes a shell-execution path for user-influenced Docker args. The compatibility tradeoff is limited to unresolved wrapper setups, which now fail with an explicit error instead of invoking cmd.exe.

Repro + Verification

Environment

  • OS: macOS (tests cover Windows resolution path)
  • Runtime/container: Node 22, pnpm workspace
  • Model/provider: N/A
  • Integration/channel (if any): Docker sandbox
  • Relevant config (redacted): default sandbox config with env.NODE_ENV=test

Steps

  1. Build Docker create args with envSanitizationOptions.strictMode=true and env.NODE_ENV=test.
  2. Verify the resulting --env args still include OPENCLAW_CLI after sanitization.
  3. On a simulated Windows PATH containing only an unresolved docker.cmd, resolve the Docker spawn invocation.

Expected

  • User env is sanitized first.
  • OPENCLAW_CLI is appended after sanitization and survives strict-mode filtering.
  • Windows Docker resolution does not allow shell: true fallback.

Actual

Evidence

Attach at least one:

  • Failing test/log before + passing after
  • Trace/log snippets
  • Screenshot/recording
  • Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

  • Verified scenarios: pnpm test -- src/agents/sandbox-create-args.test.ts src/agents/sandbox/docker.windows.test.ts; pnpm exec oxfmt --check src/agents/sandbox/docker.ts src/agents/sandbox/docker.windows.test.ts src/agents/sandbox-create-args.test.ts; pnpm exec oxlint src/agents/sandbox/docker.ts src/agents/sandbox/docker.windows.test.ts src/agents/sandbox-create-args.test.ts
  • Edge cases checked: strict-mode sanitization still permits the injected marker once it is applied after sanitization; unresolved Windows docker.cmd wrappers are rejected instead of enabling shell: true.
  • What you did not verify: full pnpm check is currently failing on unrelated main branch TypeScript errors in other agent/OAuth files.

Review Conversations

  • I replied to or resolved every bot review conversation I addressed in this PR.
  • I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

  • Backward compatible? (Mostly)
  • Config/env changes? (No)
  • Migration needed? (Maybe)
  • If yes, exact upgrade steps: Windows environments that rely on an unresolved docker.cmd/.bat shim need Docker installed in a form that resolves to a direct executable or a resolvable Node entrypoint.

Failure Recovery (if this breaks)

  • How to disable/revert this change quickly: revert this PR.
  • Files/config to restore: src/agents/sandbox/docker.ts, src/agents/sandbox/docker.windows.test.ts, src/agents/sandbox-create-args.test.ts
  • Known bad symptoms reviewers should watch for: Docker sandbox create args missing OPENCLAW_CLI under strict sanitization, or Windows Docker startup failing because only an unresolved wrapper is available.

Risks and Mitigations

  • Risk: Windows environments that previously relied on shell fallback may now fail to launch Docker sandboxes.
    • Mitigation: the new behavior is explicit and tested; it avoids executing user-influenced Docker args through cmd.exe and surfaces a direct remediation path.
  • Risk: Docker env arg ordering diverges from the other execution paths again in a future refactor.
    • Mitigation: regression test asserts marker injection survives the strict-mode integration path.

@vincentkoc vincentkoc self-assigned this Mar 10, 2026
@openclaw-barnacle openclaw-barnacle bot added docker Docker and sandbox tooling agents Agent runtime and tooling size: XS maintainer Maintainer-authored PR labels Mar 10, 2026
@vincentkoc vincentkoc marked this pull request as ready for review March 10, 2026 14:59
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Mar 10, 2026

Greptile Summary

This PR fixes a call-site ordering bug in src/agents/sandbox/docker.ts where markOpenClawExecEnv was invoked before sanitizeEnvVars, meaning the OPENCLAW_CLI marker would be subject to sanitizer blocking if strictMode were ever enabled on this path. The fix sanitizes user-provided env vars first, then stamps OPENCLAW_CLI onto the sanitized result immediately before building the --env args — matching the pattern used by the other execution paths introduced in #41411.

Key changes:

  • docker.ts: Swaps the call order so sanitizeEnvVars(params.cfg.env ?? {}) runs first, and markOpenClawExecEnv(envSanitization.allowed) is applied only at the --env emission step.
  • sandbox-create-args.test.ts: Adds a regression test that verifies OPENCLAW_CLI appears in the resulting Docker args; also directly asserts the helper-function ordering survives strictMode: true.

Minor test coverage note: The new it block combines two independent assertions — a raw helper test with strictMode: true, and a buildSandboxCreateArgs call without strict mode. Because buildSandboxCreateArgs doesn't expose a strictMode option, the full strict-mode regression path is not exercised through the integration call. The second assertion would pass even with the old (buggy) ordering in non-strict mode, so it doesn't serve as a true regression guard for the scenario described in the PR.

Confidence Score: 4/5

  • Safe to merge — the production fix is correct and no behavior changes in the current default (non-strict) mode.
  • The core docker.ts change is a clear, minimal, and correct reordering. The only concern is the new test doesn't fully exercise the strict-mode regression path through buildSandboxCreateArgs itself (only through the raw helpers), so the safety of future strict-mode enablement relies on the helper-level assertion rather than a true end-to-end test.
  • Pay attention to src/agents/sandbox-create-args.test.ts — the regression test for strict-mode ordering is only partially integrated with buildSandboxCreateArgs.

Last reviewed commit: aa3f7aa

greptile-apps[bot]
greptile-apps bot reviewed Mar 10, 2026
View reviewed changes
@vincentkoc
Copy link
Copy Markdown
Member Author

vincentkoc commented Mar 10, 2026

Addressed the Windows Docker spawn concern in the latest update.

  • src/agents/sandbox/docker.ts now resolves Docker with allowShellFallback: false, so this path no longer enables shell: true on Windows.
  • src/agents/sandbox/docker.windows.test.ts now covers the unresolved-wrapper case and asserts we fail closed instead of shelling out.
  • src/agents/sandbox-create-args.test.ts now exercises the strict-mode integration path directly through buildSandboxCreateArgs.

Verification:

  • pnpm test -- src/agents/sandbox-create-args.test.ts src/agents/sandbox/docker.windows.test.ts
  • pnpm exec oxfmt --check src/agents/sandbox/docker.ts src/agents/sandbox/docker.windows.test.ts src/agents/sandbox-create-args.test.ts
  • pnpm exec oxlint src/agents/sandbox/docker.ts src/agents/sandbox/docker.windows.test.ts src/agents/sandbox-create-args.test.ts

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 10, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: eabeff6e0f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@vincentkoc vincentkoc merged commit bd33a34 into main Mar 11, 2026
29 of 30 checks passed
@vincentkoc vincentkoc deleted the vincentkoc-code/docker-env-marker-sanitize-order branch March 11, 2026 04:59
@github-actions github-actions bot mentioned this pull request Mar 11, 2026
Open
frankekn pushed a commit to MoerAI/openclaw that referenced this pull request Mar 11, 2026
@vincentkoc @frankekn
fix(sandbox): sanitize Docker env before marking OPENCLAW_CLI (opencl…
baea06b 
…aw#42256)

* Sandbox: sanitize Docker env before exec marker injection

* Sandbox: add regression test for Docker exec marker env

* Sandbox: disable Windows shell fallback for Docker

* Sandbox: cover Windows Docker wrapper rejection

* Sandbox: test strict env sanitization through Docker args
frankekn pushed a commit to Effet/openclaw that referenced this pull request Mar 11, 2026
@vincentkoc @frankekn
fix(sandbox): sanitize Docker env before marking OPENCLAW_CLI (opencl…
456a66a 
…aw#42256)

* Sandbox: sanitize Docker env before exec marker injection

* Sandbox: add regression test for Docker exec marker env

* Sandbox: disable Windows shell fallback for Docker

* Sandbox: cover Windows Docker wrapper rejection

* Sandbox: test strict env sanitization through Docker args
frankekn pushed a commit to ImLukeF/openclaw that referenced this pull request Mar 11, 2026
@vincentkoc @frankekn
fix(sandbox): sanitize Docker env before marking OPENCLAW_CLI (opencl…
4d6a4dc 
…aw#42256)

* Sandbox: sanitize Docker env before exec marker injection

* Sandbox: add regression test for Docker exec marker env

* Sandbox: disable Windows shell fallback for Docker

* Sandbox: cover Windows Docker wrapper rejection

* Sandbox: test strict env sanitization through Docker args
hydro13 pushed a commit to andyliu/openclaw that referenced this pull request Mar 11, 2026
@vincentkoc @hydro13
fix(sandbox): sanitize Docker env before marking OPENCLAW_CLI (opencl…
27d25a2 
…aw#42256)

* Sandbox: sanitize Docker env before exec marker injection

* Sandbox: add regression test for Docker exec marker env

* Sandbox: disable Windows shell fallback for Docker

* Sandbox: cover Windows Docker wrapper rejection

* Sandbox: test strict env sanitization through Docker args
Treedy2020 pushed a commit to Treedy2020/openclaw that referenced this pull request Mar 11, 2026
@vincentkoc
fix(sandbox): sanitize Docker env before marking OPENCLAW_CLI (opencl…
de7d054 
…aw#42256)

* Sandbox: sanitize Docker env before exec marker injection

* Sandbox: add regression test for Docker exec marker env

* Sandbox: disable Windows shell fallback for Docker

* Sandbox: cover Windows Docker wrapper rejection

* Sandbox: test strict env sanitization through Docker args
mrosmarin added a commit to mrosmarin/openclaw that referenced this pull request Mar 11, 2026
@mrosmarin
Merge branch 'main' into feat/add-extraargs-to-zod-schema-tests
c83e561 
* main: (49 commits)
  fix(agents): add nodes to owner-only tool policy fallbacks
  fix(gateway): propagate real gateway client into plugin subagent runtime
  fix(gateway): enforce caller-scope subsetting in device.token.rotate
  fix(terminal): stabilize skills table width across Terminal.app and iTerm (openclaw#42849)
  fix(models): guard optional model input capabilities  (openclaw#42096)
  macOS/onboarding: prompt for remote gateway auth tokens (openclaw#43100)
  fix(macos): use foundationValue when serializing browser proxy POST body (openclaw#43069)
  feat(ios): add local beta release flow (openclaw#42991)
  docs(changelog): update context pruning PR reference
  fix(context-pruning): cover image-only tool-result pruning
  fix(context-pruning): prune image-containing tool results instead of skipping them (openclaw#41789)
  fix(agents): include azure-openai in Responses API store override (openclaw#42934)
  fix(telegram): fall back on ambiguous first preview sends
  fix(telegram): prevent duplicate messages with slow LLM providers (openclaw#41932)
  Providers: add Opencode Go support (openclaw#42313)
  fix(sandbox): sanitize Docker env before marking OPENCLAW_CLI (openclaw#42256)
  macOS: add chat model selector and persist thinking (openclaw#42314)
  fix: clear pnpm prod audit vulnerabilities
  fix(build): restore full gate
  fix(gateway): split conversation reset from admin reset
  ...
dhoman pushed a commit to dhoman/chrono-claw that referenced this pull request Mar 11, 2026
@vincentkoc @dhoman
fix(sandbox): sanitize Docker env before marking OPENCLAW_CLI (opencl…
65aae1d 
…aw#42256)

* Sandbox: sanitize Docker env before exec marker injection

* Sandbox: add regression test for Docker exec marker env

* Sandbox: disable Windows shell fallback for Docker

* Sandbox: cover Windows Docker wrapper rejection

* Sandbox: test strict env sanitization through Docker args
ahelpercn pushed a commit to ahelpercn/openclaw that referenced this pull request Mar 12, 2026
@vincentkoc
fix(sandbox): sanitize Docker env before marking OPENCLAW_CLI (opencl…
485c67e 
…aw#42256)

* Sandbox: sanitize Docker env before exec marker injection

* Sandbox: add regression test for Docker exec marker env

* Sandbox: disable Windows shell fallback for Docker

* Sandbox: cover Windows Docker wrapper rejection

* Sandbox: test strict env sanitization through Docker args
Ruijie-Ysp pushed a commit to Ruijie-Ysp/clawdbot that referenced this pull request Mar 12, 2026
@vincentkoc @Ruijie-Ysp
fix(sandbox): sanitize Docker env before marking OPENCLAW_CLI (opencl…
0c98104 
…aw#42256)

* Sandbox: sanitize Docker env before exec marker injection

* Sandbox: add regression test for Docker exec marker env

* Sandbox: disable Windows shell fallback for Docker

* Sandbox: cover Windows Docker wrapper rejection

* Sandbox: test strict env sanitization through Docker args
@github-actions github-actions bot mentioned this pull request Mar 12, 2026
Open
leozhengliu-pixel pushed a commit to leozhengliu-pixel/openclaw that referenced this pull request Mar 13, 2026
@vincentkoc
fix(sandbox): sanitize Docker env before marking OPENCLAW_CLI (opencl…
0d92a0b 
…aw#42256)

* Sandbox: sanitize Docker env before exec marker injection

* Sandbox: add regression test for Docker exec marker env

* Sandbox: disable Windows shell fallback for Docker

* Sandbox: cover Windows Docker wrapper rejection

* Sandbox: test strict env sanitization through Docker args
plabzzxx pushed a commit to plabzzxx/openclaw that referenced this pull request Mar 13, 2026
@vincentkoc
fix(sandbox): sanitize Docker env before marking OPENCLAW_CLI (opencl…
c7f619b 
…aw#42256)

* Sandbox: sanitize Docker env before exec marker injection

* Sandbox: add regression test for Docker exec marker env

* Sandbox: disable Windows shell fallback for Docker

* Sandbox: cover Windows Docker wrapper rejection

* Sandbox: test strict env sanitization through Docker args
wdskuki pushed a commit to wdskuki/openclaw that referenced this pull request Mar 16, 2026
@vincentkoc @wdskuki
fix(sandbox): sanitize Docker env before marking OPENCLAW_CLI (opencl…
409f06f 
…aw#42256)

* Sandbox: sanitize Docker env before exec marker injection

* Sandbox: add regression test for Docker exec marker env

* Sandbox: disable Windows shell fallback for Docker

* Sandbox: cover Windows Docker wrapper rejection

* Sandbox: test strict env sanitization through Docker args
Interstellar-code pushed a commit to Interstellar-code/operator1 that referenced this pull request Mar 16, 2026
@vincentkoc
fix(sandbox): sanitize Docker env before marking OPENCLAW_CLI (opencl…
fe76957 
…aw#42256)

(cherry picked from commit bd33a34)

fix: String() cast for unknown env value in template literal
Interstellar-code pushed a commit to Interstellar-code/operator1 that referenced this pull request Mar 16, 2026
@vincentkoc
fix(sandbox): sanitize Docker env before marking OPENCLAW_CLI (opencl…
31d2c4e 
…aw#42256)

(cherry picked from commit bd33a34)

fix: String() cast for unknown env value in template literal
Interstellar-code pushed a commit to Interstellar-code/operator1 that referenced this pull request Mar 16, 2026
@vincentkoc
fix(sandbox): sanitize Docker env before marking OPENCLAW_CLI (opencl…
88e480b 
…aw#42256)

* Sandbox: sanitize Docker env before exec marker injection

* Sandbox: add regression test for Docker exec marker env

* Sandbox: disable Windows shell fallback for Docker

* Sandbox: cover Windows Docker wrapper rejection

* Sandbox: test strict env sanitization through Docker args

(cherry picked from commit bd33a34)
senw-developers pushed a commit to senw-developers/va-openclaw that referenced this pull request Mar 17, 2026
@vincentkoc @Shlemon
fix(sandbox): sanitize Docker env before marking OPENCLAW_CLI (opencl…
acc496d 
…aw#42256)

* Sandbox: sanitize Docker env before exec marker injection

* Sandbox: add regression test for Docker exec marker env

* Sandbox: disable Windows shell fallback for Docker

* Sandbox: cover Windows Docker wrapper rejection

* Sandbox: test strict env sanitization through Docker args
t--becker pushed a commit to t--becker/openclaw that referenced this pull request Mar 19, 2026
@vincentkoc @t--becker
fix(sandbox): sanitize Docker env before marking OPENCLAW_CLI (opencl…
19194f8 
…aw#42256)

* Sandbox: sanitize Docker env before exec marker injection

* Sandbox: add regression test for Docker exec marker env

* Sandbox: disable Windows shell fallback for Docker

* Sandbox: cover Windows Docker wrapper rejection

* Sandbox: test strict env sanitization through Docker args
@alexey-pelykh alexey-pelykh mentioned this pull request Mar 23, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@vincentkoc vincentkoc

Labels

agents Agent runtime and tooling docker Docker and sandbox tooling maintainer Maintainer-authored PR size: S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vincentkoc