fix: block node env path redirects

pgondhi987 · pgondhi987 · commit 254872e11bfb · 2026-05-27T14:20:06.000Z
diff --git a/apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift b/apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift
@@ -135,7 +135,9 @@ enum HostEnvSecurityPolicy {
         "NODE_AUTH_TOKEN",
         "NODE_OPTIONS",
         "NODE_PATH",
+        "NODE_REDIRECT_WARNINGS",
         "NODE_REPL_EXTERNAL_MODULE",
+        "NODE_REPL_HISTORY",
         "NODE_V8_COVERAGE",
         "NPM_TOKEN",
         "OBJC_INCLUDE_PATH",
@@ -269,7 +271,9 @@ enum HostEnvSecurityPolicy {
         "MYVIMRC",
         "NODE_OPTIONS",
         "NODE_PATH",
+        "NODE_REDIRECT_WARNINGS",
         "NODE_REPL_EXTERNAL_MODULE",
+        "NODE_REPL_HISTORY",
         "NODE_V8_COVERAGE",
         "PACKER_PLUGIN_PATH",
         "PERL5LIB",
diff --git a/docs/cli/mcp.md b/docs/cli/mcp.md
@@ -441,7 +441,7 @@ Launches a local child process and communicates over stdin/stdout.
 <Warning>
 **Stdio env safety filter**
 
-OpenClaw rejects interpreter-startup env keys that can alter how a stdio MCP server starts up before the first RPC, even if they appear in a server's `env` block. Blocked keys include `NODE_OPTIONS`, `NODE_REPL_EXTERNAL_MODULE`, `NODE_V8_COVERAGE`, `PYTHONSTARTUP`, `PYTHONPATH`, `PERL5OPT`, `RUBYOPT`, `SHELLOPTS`, `PS4`, and similar runtime-control variables. Startup rejects these with a configuration error so they cannot inject an implicit prelude, swap the interpreter, enable a debugger, or redirect runtime output against the stdio process. Ordinary credential, proxy, and server-specific env vars (`GITHUB_TOKEN`, `HTTP_PROXY`, custom `*_API_KEY`, etc.) are unaffected.
+OpenClaw rejects interpreter-startup env keys that can alter how a stdio MCP server starts up before the first RPC, even if they appear in a server's `env` block. Blocked keys include `NODE_OPTIONS`, `NODE_REDIRECT_WARNINGS`, `NODE_REPL_EXTERNAL_MODULE`, `NODE_REPL_HISTORY`, `NODE_V8_COVERAGE`, `PYTHONSTARTUP`, `PYTHONPATH`, `PERL5OPT`, `RUBYOPT`, `SHELLOPTS`, `PS4`, and similar runtime-control variables. Startup rejects these with a configuration error so they cannot inject an implicit prelude, swap the interpreter, enable a debugger, or redirect runtime output against the stdio process. Ordinary credential, proxy, and server-specific env vars (`GITHUB_TOKEN`, `HTTP_PROXY`, custom `*_API_KEY`, etc.) are unaffected.
 
 If your MCP server genuinely needs one of the blocked variables, set it on the gateway host process instead of under the stdio server's `env`.
 </Warning>
diff --git a/docs/nodes/index.md b/docs/nodes/index.md
@@ -376,7 +376,7 @@ Notes:
 - For allow-always decisions in allowlist mode, known dispatch wrappers (`env`, `nice`, `nohup`, `stdbuf`, `timeout`) persist inner executable paths instead of wrapper paths. If unwrapping is not safe, no allowlist entry is persisted automatically.
 - On Windows node hosts in allowlist mode, shell-wrapper runs via `cmd.exe /c` require approval (allowlist entry alone does not auto-allow the wrapper form).
 - `system.notify` supports `--priority <passive|active|timeSensitive>` and `--delivery <system|overlay|auto>`.
-- Node hosts ignore `PATH` overrides and strip dangerous startup/shell keys (`DYLD_*`, `LD_*`, `NODE_OPTIONS`, `NODE_REPL_EXTERNAL_MODULE`, `NODE_V8_COVERAGE`, `PYTHON*`, `PERL*`, `RUBYOPT`, `SHELLOPTS`, `PS4`). If you need extra PATH entries, configure the node host service environment (or install tools in standard locations) instead of passing `PATH` via `--env`.
+- Node hosts ignore `PATH` overrides and strip dangerous startup/shell keys (`DYLD_*`, `LD_*`, `NODE_OPTIONS`, `NODE_REDIRECT_WARNINGS`, `NODE_REPL_EXTERNAL_MODULE`, `NODE_REPL_HISTORY`, `NODE_V8_COVERAGE`, `PYTHON*`, `PERL*`, `RUBYOPT`, `SHELLOPTS`, `PS4`). If you need extra PATH entries, configure the node host service environment (or install tools in standard locations) instead of passing `PATH` via `--env`.
 - On macOS node mode, `system.run` is gated by exec approvals in the macOS app (Settings → Exec approvals).
   Ask/allowlist/full behave the same as the headless node host; denied prompts return `SYSTEM_RUN_DENIED`.
 - On headless node host, `system.run` is gated by exec approvals (`~/.openclaw/exec-approvals.json`).
diff --git a/docs/platforms/macos.md b/docs/platforms/macos.md
@@ -105,7 +105,7 @@ Notes:
 - `allowlist` entries are glob patterns for resolved binary paths, or bare command names for PATH-invoked commands.
 - Raw shell command text that contains shell control or expansion syntax (`&&`, `||`, `;`, `|`, `` ` ``, `$`, `<`, `>`, `(`, `)`) is treated as an allowlist miss and requires explicit approval (or allowlisting the shell binary).
 - Choosing "Always Allow" in the prompt adds that command to the allowlist.
-- `system.run` environment overrides are filtered (drops `PATH`, `DYLD_*`, `LD_*`, `NODE_OPTIONS`, `NODE_REPL_EXTERNAL_MODULE`, `NODE_V8_COVERAGE`, `PYTHON*`, `PERL*`, `RUBYOPT`, `SHELLOPTS`, `PS4`) and then merged with the app's environment.
+- `system.run` environment overrides are filtered (drops `PATH`, `DYLD_*`, `LD_*`, `NODE_OPTIONS`, `NODE_REDIRECT_WARNINGS`, `NODE_REPL_EXTERNAL_MODULE`, `NODE_REPL_HISTORY`, `NODE_V8_COVERAGE`, `PYTHON*`, `PERL*`, `RUBYOPT`, `SHELLOPTS`, `PS4`) and then merged with the app's environment.
 - For shell wrappers (`bash|sh|zsh ... -c/-lc`), request-scoped environment overrides are reduced to a small explicit allowlist (`TERM`, `LANG`, `LC_*`, `COLORTERM`, `NO_COLOR`, `FORCE_COLOR`).
 - For allow-always decisions in allowlist mode, known dispatch wrappers (`env`, `nice`, `nohup`, `stdbuf`, `timeout`) persist inner executable paths instead of wrapper paths. If unwrapping is not safe, no allowlist entry is persisted automatically.
 
diff --git a/src/agents/skills.test.ts b/src/agents/skills.test.ts
@@ -691,41 +691,66 @@ describe("applySkillEnvOverrides", () => {
 
   it("blocks dangerous host env overrides even when declared", () => {
     const entries = envSkillEntries("dangerous-env-skill", {
-      requires: { env: ["BASH_ENV", "SHELL", "NODE_REPL_EXTERNAL_MODULE", "NODE_V8_COVERAGE"] },
+      requires: {
+        env: [
+          "BASH_ENV",
+          "SHELL",
+          "NODE_REDIRECT_WARNINGS",
+          "NODE_REPL_EXTERNAL_MODULE",
+          "NODE_REPL_HISTORY",
+          "NODE_V8_COVERAGE",
+        ],
+      },
     });
 
-    withClearedEnv(["BASH_ENV", "SHELL", "NODE_REPL_EXTERNAL_MODULE", "NODE_V8_COVERAGE"], () => {
-      const restore = applySkillEnvOverrides({
-        skills: entries,
-        config: {
-          skills: {
-            entries: {
-              "dangerous-env-skill": {
-                env: {
-                  BASH_ENV: "/tmp/pwn.sh",
-                  SHELL: "/tmp/evil-shell",
-                  NODE_REPL_EXTERNAL_MODULE: "/tmp/pwn.js",
-                  NODE_V8_COVERAGE: "/tmp/coverage",
+    withClearedEnv(
+      [
+        "BASH_ENV",
+        "SHELL",
+        "NODE_REDIRECT_WARNINGS",
+        "NODE_REPL_EXTERNAL_MODULE",
+        "NODE_REPL_HISTORY",
+        "NODE_V8_COVERAGE",
+      ],
+      () => {
+        const restore = applySkillEnvOverrides({
+          skills: entries,
+          config: {
+            skills: {
+              entries: {
+                "dangerous-env-skill": {
+                  env: {
+                    BASH_ENV: "/tmp/pwn.sh",
+                    SHELL: "/tmp/evil-shell",
+                    NODE_REDIRECT_WARNINGS: "/tmp/node-warnings.log",
+                    NODE_REPL_EXTERNAL_MODULE: "/tmp/pwn.js",
+                    NODE_REPL_HISTORY: "/tmp/node-repl-history",
+                    NODE_V8_COVERAGE: "/tmp/coverage",
+                  },
                 },
               },
             },
           },
-        },
-      });
-
-      try {
-        expect(process.env.BASH_ENV).toBeUndefined();
-        expect(process.env.SHELL).toBeUndefined();
-        expect(process.env.NODE_REPL_EXTERNAL_MODULE).toBeUndefined();
-        expect(process.env.NODE_V8_COVERAGE).toBeUndefined();
-      } finally {
-        restore();
-        expect(process.env.BASH_ENV).toBeUndefined();
-        expect(process.env.SHELL).toBeUndefined();
-        expect(process.env.NODE_REPL_EXTERNAL_MODULE).toBeUndefined();
-        expect(process.env.NODE_V8_COVERAGE).toBeUndefined();
-      }
-    });
+        });
+
+        try {
+          expect(process.env.BASH_ENV).toBeUndefined();
+          expect(process.env.SHELL).toBeUndefined();
+          expect(process.env.NODE_REDIRECT_WARNINGS).toBeUndefined();
+          expect(process.env.NODE_REPL_EXTERNAL_MODULE).toBeUndefined();
+          expect(process.env.NODE_REPL_HISTORY).toBeUndefined();
+          expect(process.env.NODE_V8_COVERAGE).toBeUndefined();
+        } finally {
+          restore();
+          expect(process.env.BASH_ENV).toBeUndefined();
+          expect(process.env.SHELL).toBeUndefined();
+          expect(process.env.NODE_REDIRECT_WARNINGS).toBeUndefined();
+          expect(process.env.NODE_REPL_EXTERNAL_MODULE).toBeUndefined();
+          expect(process.env.NODE_REPL_HISTORY).toBeUndefined();
+          expect(process.env.NODE_V8_COVERAGE).toBeUndefined();
+        }
+      },
+    );
   });
 
   it("blocks override-only host env overrides in skill config", () => {
diff --git a/src/infra/dotenv.test.ts b/src/infra/dotenv.test.ts
@@ -229,7 +229,9 @@ describe("loadDotEnv", () => {
           [
             "SAFE_KEY=from-cwd",
             "NODE_OPTIONS=--require ./evil.js",
+            "NODE_REDIRECT_WARNINGS=./warnings.log",
             "NODE_REPL_EXTERNAL_MODULE=./evil-repl.js",
+            "NODE_REPL_HISTORY=./repl-history",
             "NODE_V8_COVERAGE=./coverage",
             "OPENCLAW_STATE_DIR=./evil-state",
             "OPENCLAW_CONFIG_PATH=./evil-config.json",
@@ -251,7 +253,9 @@ describe("loadDotEnv", () => {
         vi.spyOn(process, "cwd").mockReturnValue(cwdDir);
         delete process.env.SAFE_KEY;
         delete process.env.NODE_OPTIONS;
+        delete process.env.NODE_REDIRECT_WARNINGS;
         delete process.env.NODE_REPL_EXTERNAL_MODULE;
+        delete process.env.NODE_REPL_HISTORY;
         delete process.env.NODE_V8_COVERAGE;
         delete process.env.OPENCLAW_CONFIG_PATH;
         delete process.env.ANTHROPIC_BASE_URL;
@@ -271,7 +275,9 @@ describe("loadDotEnv", () => {
         expect(process.env.SAFE_KEY).toBe("from-cwd");
         expect(process.env.BAR).toBe("from-global");
         expect(process.env.NODE_OPTIONS).toBeUndefined();
+        expect(process.env.NODE_REDIRECT_WARNINGS).toBeUndefined();
         expect(process.env.NODE_REPL_EXTERNAL_MODULE).toBeUndefined();
+        expect(process.env.NODE_REPL_HISTORY).toBeUndefined();
         expect(process.env.NODE_V8_COVERAGE).toBeUndefined();
         expect(process.env.OPENCLAW_STATE_DIR).toBe(stateDir);
         expect(process.env.OPENCLAW_CONFIG_PATH).toBeUndefined();
@@ -697,7 +703,9 @@ describe("loadCliDotEnv", () => {
             "OPENCLAW_CONFIG_PATH=./evil-config.json",
             `OPENCLAW_BUNDLED_PLUGINS_DIR=${bundledPluginsDir}`,
             "NODE_OPTIONS=--require ./evil.js",
+            "NODE_REDIRECT_WARNINGS=./warnings.log",
             "NODE_REPL_EXTERNAL_MODULE=./evil-repl.js",
+            "NODE_REPL_HISTORY=./repl-history",
             "NODE_V8_COVERAGE=./coverage",
             "ANTHROPIC_BASE_URL=https://evil.example.com/v1",
             "UV_PYTHON=./attacker-python",
@@ -711,7 +719,9 @@ describe("loadCliDotEnv", () => {
         delete process.env.OPENCLAW_CONFIG_PATH;
         delete process.env.OPENCLAW_BUNDLED_PLUGINS_DIR;
         delete process.env.NODE_OPTIONS;
+        delete process.env.NODE_REDIRECT_WARNINGS;
         delete process.env.NODE_REPL_EXTERNAL_MODULE;
+        delete process.env.NODE_REPL_HISTORY;
         delete process.env.NODE_V8_COVERAGE;
         delete process.env.ANTHROPIC_BASE_URL;
         delete process.env.UV_PYTHON;
@@ -726,7 +736,9 @@ describe("loadCliDotEnv", () => {
         expect(process.env.OPENCLAW_CONFIG_PATH).toBeUndefined();
         expect(process.env.OPENCLAW_BUNDLED_PLUGINS_DIR).toBeUndefined();
         expect(process.env.NODE_OPTIONS).toBeUndefined();
+        expect(process.env.NODE_REDIRECT_WARNINGS).toBeUndefined();
         expect(process.env.NODE_REPL_EXTERNAL_MODULE).toBeUndefined();
+        expect(process.env.NODE_REPL_HISTORY).toBeUndefined();
         expect(process.env.NODE_V8_COVERAGE).toBeUndefined();
         expect(process.env.ANTHROPIC_BASE_URL).toBeUndefined();
         expect(process.env.UV_PYTHON).toBeUndefined();
diff --git a/src/infra/host-env-security-policy.json b/src/infra/host-env-security-policy.json
@@ -2,7 +2,9 @@
   "blockedEverywhereKeys": [
     "NODE_OPTIONS",
     "NODE_PATH",
+    "NODE_REDIRECT_WARNINGS",
     "NODE_REPL_EXTERNAL_MODULE",
+    "NODE_REPL_HISTORY",
     "NODE_V8_COVERAGE",
     "PYTHONHOME",
     "PYTHONPATH",
diff --git a/src/infra/host-env-security.reported-baseline.json b/src/infra/host-env-security.reported-baseline.json
@@ -67,7 +67,9 @@
     "MYVIMRC",
     "NODE_OPTIONS",
     "NODE_PATH",
+    "NODE_REDIRECT_WARNINGS",
     "NODE_REPL_EXTERNAL_MODULE",
+    "NODE_REPL_HISTORY",
     "NODE_V8_COVERAGE",
     "PACKER_PLUGIN_PATH",
     "PERL5LIB",
@@ -246,5 +248,5 @@
     "YARN_RC_FILENAME",
     "ZDOTDIR"
   ],
-  "expectedTotalReportedEntries": 241
+  "expectedTotalReportedEntries": 243
 }
diff --git a/src/infra/host-env-security.reported-baseline.test.ts b/src/infra/host-env-security.reported-baseline.test.ts
@@ -91,7 +91,7 @@ describe("host env reported baseline coverage", () => {
       baseline.reportedDangerousEverywhereKeys.length +
         baseline.reportedDangerousOverrideOnlyKeys.length,
     ).toBe(baseline.expectedTotalReportedEntries);
-    expect(baseline.expectedTotalReportedEntries).toBe(241);
+    expect(baseline.expectedTotalReportedEntries).toBe(243);
     expect(sortUniqueUpper(baseline.reportedDangerousEverywhereKeys)).toEqual(
       baseline.reportedDangerousEverywhereKeys,
     );
diff --git a/src/infra/host-env-security.test.ts b/src/infra/host-env-security.test.ts
@@ -191,8 +191,12 @@ describe("isDangerousHostEnvVarName", () => {
     expect(isDangerousHostEnvVarName("maven_opts")).toBe(true);
     expect(isDangerousHostEnvVarName("MAKEFLAGS")).toBe(true);
     expect(isDangerousHostEnvVarName("makeflags")).toBe(true);
+    expect(isDangerousHostEnvVarName("NODE_REDIRECT_WARNINGS")).toBe(true);
+    expect(isDangerousHostEnvVarName("node_redirect_warnings")).toBe(true);
     expect(isDangerousHostEnvVarName("NODE_REPL_EXTERNAL_MODULE")).toBe(true);
     expect(isDangerousHostEnvVarName("node_repl_external_module")).toBe(true);
+    expect(isDangerousHostEnvVarName("NODE_REPL_HISTORY")).toBe(true);
+    expect(isDangerousHostEnvVarName("node_repl_history")).toBe(true);
     expect(isDangerousHostEnvVarName("NODE_V8_COVERAGE")).toBe(true);
     expect(isDangerousHostEnvVarName("node_v8_coverage")).toBe(true);
     expect(isDangerousHostEnvVarName("MFLAGS")).toBe(true);
@@ -332,7 +336,9 @@ describe("sanitizeHostExecEnv", () => {
         DOCKER_CONTEXT: "trusted-remote",
         DOCKER_HOST: "tcp://docker.example.test:2376",
         LD_PRELOAD: "/tmp/pwn.so",
+        NODE_REDIRECT_WARNINGS: "/tmp/node-warnings.log",
         NODE_REPL_EXTERNAL_MODULE: "/tmp/pwn.js",
+        NODE_REPL_HISTORY: "/tmp/node-repl-history",
         NODE_V8_COVERAGE: "/tmp/coverage",
         OK: "1",
       },
@@ -424,7 +430,9 @@ describe("sanitizeHostExecEnv", () => {
         CPLUS_INCLUDE_PATH: "/tmp/evil-cpp-headers",
         OBJC_INCLUDE_PATH: "/tmp/evil-objc-headers",
         HELM_HOME: "/tmp/override-helm",
+        NODE_REDIRECT_WARNINGS: "/tmp/node-warnings.log",
         NODE_REPL_EXTERNAL_MODULE: "/tmp/pwn.js",
+        NODE_REPL_HISTORY: "/tmp/node-repl-history",
         NODE_V8_COVERAGE: "/tmp/coverage",
         NODE_EXTRA_CA_CERTS: "/tmp/evil-ca.pem",
         SSL_CERT_FILE: "/tmp/evil-cert.pem",
@@ -536,7 +544,9 @@ describe("sanitizeHostExecEnv", () => {
     expect(env.GOPATH).toBeUndefined();
     expect(env.CARGO_HOME).toBeUndefined();
     expect(env.HELM_HOME).toBeUndefined();
+    expect(env.NODE_REDIRECT_WARNINGS).toBeUndefined();
     expect(env.NODE_REPL_EXTERNAL_MODULE).toBeUndefined();
+    expect(env.NODE_REPL_HISTORY).toBeUndefined();
     expect(env.NODE_V8_COVERAGE).toBeUndefined();
     expect(env.PYTHONUSERBASE).toBeUndefined();
     expect(env.VIRTUAL_ENV).toBeUndefined();
@@ -992,7 +1002,9 @@ describe("sanitizeHostExecEnvWithDiagnostics", () => {
         MAKEFLAGS: "--eval=$(shell touch /tmp/pwned)",
         MFLAGS: "--eval=$(shell touch /tmp/pwned-too)",
         HELM_HOME: "/tmp/evil-helm",
+        NODE_REDIRECT_WARNINGS: "/tmp/node-warnings.log",
         NODE_REPL_EXTERNAL_MODULE: "/tmp/pwn.js",
+        NODE_REPL_HISTORY: "/tmp/node-repl-history",
         NODE_V8_COVERAGE: "/tmp/coverage",
         PYTHONUSERBASE: "/tmp/evil-python-userbase",
         RUSTC_WRAPPER: "/tmp/evil-rustc-wrapper",
@@ -1055,7 +1067,9 @@ describe("sanitizeHostExecEnvWithDiagnostics", () => {
       "MAKEFLAGS",
       "MFLAGS",
       "NODE_EXTRA_CA_CERTS",
+      "NODE_REDIRECT_WARNINGS",
       "NODE_REPL_EXTERNAL_MODULE",
+      "NODE_REPL_HISTORY",
       "NODE_TLS_REJECT_UNAUTHORIZED",
       "NODE_V8_COVERAGE",
       "OBJC_INCLUDE_PATH",
@@ -1138,7 +1152,9 @@ describe("sanitizeHostExecEnvWithDiagnostics", () => {
     expect(result.env.CARGO_HOME).toBeUndefined();
     expect(result.env.HGRCPATH).toBeUndefined();
     expect(result.env.HELM_HOME).toBeUndefined();
+    expect(result.env.NODE_REDIRECT_WARNINGS).toBeUndefined();
     expect(result.env.NODE_REPL_EXTERNAL_MODULE).toBeUndefined();
+    expect(result.env.NODE_REPL_HISTORY).toBeUndefined();
     expect(result.env.NODE_V8_COVERAGE).toBeUndefined();
     expect(result.env.HTTPS_PROXY).toBeUndefined();
     expect(result.env.JAVA_OPTS).toBeUndefined();
