fix: block git protocol env controls [AI] (#91619)

pgondhi987 · web-flow · commit 86bab9699d0d · 2026-06-09T21:09:14.000+05:30
* fix: block git protocol env controls

* fix: preserve restrictive git protocol env

* fix: preserve restrictive git allowlists

* fix: filter inherited git protocol allowlists

* test: cover restrictive git allowlists

* test: avoid opengrep fixture false positives

* test: type env fixture helper narrowly

* fix: preserve zero git protocol booleans

* fix: preserve invalid git protocol booleans

* fix: force git protocol from user off

* fix: share git inherited env sanitization
diff --git a/apps/macos/Sources/OpenClaw/HostEnvSanitizer.swift b/apps/macos/Sources/OpenClaw/HostEnvSanitizer.swift
@@ -24,6 +24,15 @@ enum HostEnvSanitizer {
         "NO_COLOR",
         "FORCE_COLOR",
     ]
+    private static let gitAllowProtocolKey = "GIT_ALLOW_PROTOCOL"
+    private static let gitProtocolFromUserKey = "GIT_PROTOCOL_FROM_USER"
+    private static let gitProtocolFromUserDisabledValue = "0"
+    private static let gitDefaultAlwaysAllowedProtocols: Set<String> = [
+        "git",
+        "http",
+        "https",
+        "ssh",
+    ]
 
     private static func isBlocked(_ upperKey: String) -> Bool {
         if self.blockedKeys.contains(upperKey) { return true }
@@ -82,6 +91,25 @@ enum HostEnvSanitizer {
         Array(Set(values)).sorted()
     }
 
+    private static func isPermissiveGitProtocolFromUserValue(_ value: String) -> Bool {
+        let normalized = value.trimmingCharacters(in: .whitespacesAndNewlines).lowercased()
+        if normalized == "true" || normalized == "yes" || normalized == "on" {
+            return true
+        }
+        let isInteger = normalized.range(of: #"^[+-]?[0-9]+$"#, options: .regularExpression) != nil
+        let isZero = normalized.range(of: #"^[+-]?0+$"#, options: .regularExpression) != nil
+        return isInteger && !isZero
+    }
+
+    private static func sanitizeInheritedGitAllowProtocolValue(_ value: String) -> String {
+        let normalized = value.trimmingCharacters(in: .whitespacesAndNewlines)
+        if normalized.isEmpty { return "" }
+        let safeProtocols = normalized
+            .split(separator: ":", omittingEmptySubsequences: false)
+            .filter { self.gitDefaultAlwaysAllowedProtocols.contains(String($0)) }
+        return safeProtocols.joined(separator: ":")
+    }
+
     static func inspectOverrides(
         overrides: [String: String]?,
         blockPathOverrides: Bool = true) -> HostEnvOverrideDiagnostics
@@ -120,6 +148,22 @@ enum HostEnvSanitizer {
             let key = rawKey.trimmingCharacters(in: .whitespacesAndNewlines)
             guard !key.isEmpty else { continue }
             let upper = key.uppercased()
+            // Preserve inherited Git allowlists without widening malformed or unsafe entries by
+            // deletion. Protocols outside Git's safe default set are removed instead.
+            if upper == self.gitAllowProtocolKey {
+                merged[key] = self.sanitizeInheritedGitAllowProtocolValue(value)
+                continue
+            }
+            // Preserve non-permissive Git boolean values. Permissive values must become explicit
+            // `0` because Git's unset default still permits protocols with policy `user`.
+            if upper == self.gitProtocolFromUserKey {
+                if !self.isPermissiveGitProtocolFromUserValue(value) {
+                    merged[key] = value
+                } else {
+                    merged[key] = self.gitProtocolFromUserDisabledValue
+                }
+                continue
+            }
             if self.isBlockedInherited(upper) { continue }
             merged[key] = value
         }
diff --git a/apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift b/apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift
@@ -78,6 +78,7 @@ enum HostEnvSecurityPolicy {
         "GH_TOKEN",
         "GITHUB_TOKEN",
         "GITLAB_TOKEN",
+        "GIT_ALLOW_PROTOCOL",
         "GIT_ALTERNATE_OBJECT_DIRECTORIES",
         "GIT_ASKPASS",
         "GIT_COMMON_DIR",
@@ -89,6 +90,7 @@ enum HostEnvSecurityPolicy {
         "GIT_INDEX_FILE",
         "GIT_NAMESPACE",
         "GIT_OBJECT_DIRECTORY",
+        "GIT_PROTOCOL_FROM_USER",
         "GIT_PROXY_COMMAND",
         "GIT_SEQUENCE_EDITOR",
         "GIT_SSH",
@@ -239,6 +241,7 @@ enum HostEnvSecurityPolicy {
         "EXINIT",
         "FPATH",
         "GCONV_PATH",
+        "GIT_ALLOW_PROTOCOL",
         "GIT_ALTERNATE_OBJECT_DIRECTORIES",
         "GIT_COMMON_DIR",
         "GIT_DIR",
@@ -249,6 +252,7 @@ enum HostEnvSecurityPolicy {
         "GIT_INDEX_FILE",
         "GIT_NAMESPACE",
         "GIT_OBJECT_DIRECTORY",
+        "GIT_PROTOCOL_FROM_USER",
         "GIT_SEQUENCE_EDITOR",
         "GIT_SSL_CAINFO",
         "GIT_SSL_CAPATH",
diff --git a/src/agents/bash-tools.exec-runtime.test.ts b/src/agents/bash-tools.exec-runtime.test.ts
@@ -34,6 +34,7 @@ let formatExecFailureReason: typeof import("./bash-tools.exec-runtime.js").forma
 let renderExecUpdateText: typeof import("./bash-tools.exec-runtime.js").renderExecUpdateText;
 let resolveExecTarget: typeof import("./bash-tools.exec-runtime.js").resolveExecTarget;
 let runExecProcess: typeof import("./bash-tools.exec-runtime.js").runExecProcess;
+let sanitizeHostBaseEnv: typeof import("./bash-tools.exec-runtime.js").sanitizeHostBaseEnv;
 
 beforeAll(async () => {
   ({ markBackgrounded } = await import("./bash-process-registry.js"));
@@ -45,6 +46,7 @@ beforeAll(async () => {
     renderExecUpdateText,
     resolveExecTarget,
     runExecProcess,
+    sanitizeHostBaseEnv,
   } = await import("./bash-tools.exec-runtime.js"));
 });
 
@@ -113,6 +115,33 @@ describe("detectCursorKeyMode", () => {
   });
 });
 
+describe("sanitizeHostBaseEnv", () => {
+  it("uses value-aware Git protocol inherited env sanitization", () => {
+    expect(
+      sanitizeHostBaseEnv({
+        PATH: "/usr/bin:/bin",
+        GIT_ALLOW_PROTOCOL: "https:ext:ssh",
+        GIT_PROTOCOL_FROM_USER: "1",
+        GIT_SSH_COMMAND: "touch /tmp/pwned",
+        SAFE: "ok",
+      }),
+    ).toEqual({
+      PATH: "/usr/bin:/bin",
+      GIT_ALLOW_PROTOCOL: "https:ssh",
+      GIT_PROTOCOL_FROM_USER: "0",
+      SAFE: "ok",
+    });
+
+    expect(
+      sanitizeHostBaseEnv({
+        GIT_PROTOCOL_FROM_USER: "false",
+      }),
+    ).toEqual({
+      GIT_PROTOCOL_FROM_USER: "false",
+    });
+  });
+});
+
 describe("resolveExecTarget", () => {
   it("keeps implicit auto on sandbox when a sandbox runtime is available", () => {
     expectExecTarget(
diff --git a/src/agents/bash-tools.exec-runtime.ts b/src/agents/bash-tools.exec-runtime.ts
@@ -19,7 +19,10 @@ import {
   type ExecTarget,
 } from "../infra/exec-approvals.js";
 import { requestHeartbeat } from "../infra/heartbeat-wake.js";
-import { isDangerousHostInheritedEnvVarName } from "../infra/host-env-security.js";
+import {
+  isDangerousHostInheritedEnvVarName,
+  sanitizeHostInheritedEnvEntry,
+} from "../infra/host-env-security.js";
 import { findPathKey, mergePathPrepend, removePathPrepend } from "../infra/path-prepend.js";
 import { enqueueSystemEvent } from "../infra/system-events.js";
 import { isSubagentSessionKey } from "../sessions/session-key-utils.js";
@@ -93,15 +96,12 @@ export function detectCursorKeyMode(raw: string): "application" | "normal" | nul
 export function sanitizeHostBaseEnv(env: Record<string, string>): Record<string, string> {
   const sanitized: Record<string, string> = {};
   for (const [key, value] of Object.entries(env)) {
-    const upperKey = key.toUpperCase();
-    if (upperKey === "PATH") {
-      sanitized[key] = value;
-      continue;
-    }
-    if (isDangerousHostInheritedEnvVarName(upperKey)) {
+    const sanitizedEntry = sanitizeHostInheritedEnvEntry(key, value);
+    if (!sanitizedEntry) {
       continue;
     }
-    sanitized[key] = value;
+    const [sanitizedKey, sanitizedValue] = sanitizedEntry;
+    sanitized[sanitizedKey] = sanitizedValue;
   }
   return sanitized;
 }
diff --git a/src/infra/host-env-security-policy.json b/src/infra/host-env-security-policy.json
@@ -17,6 +17,7 @@
     "ENV",
     "KSH_ENV",
     "BROWSER",
+    "GIT_ALLOW_PROTOCOL",
     "GIT_EDITOR",
     "GIT_EXTERNAL_DIFF",
     "GIT_DIR",
@@ -27,6 +28,7 @@
     "GIT_OBJECT_DIRECTORY",
     "GIT_ALTERNATE_OBJECT_DIRECTORIES",
     "GIT_NAMESPACE",
+    "GIT_PROTOCOL_FROM_USER",
     "GIT_SEQUENCE_EDITOR",
     "GIT_TEMPLATE_DIR",
     "GIT_SSL_NO_VERIFY",
diff --git a/src/infra/host-env-security.reported-baseline.json b/src/infra/host-env-security.reported-baseline.json
@@ -31,6 +31,7 @@
     "EXINIT",
     "FPATH",
     "GCONV_PATH",
+    "GIT_ALLOW_PROTOCOL",
     "GIT_ALTERNATE_OBJECT_DIRECTORIES",
     "GIT_COMMON_DIR",
     "GIT_DIR",
@@ -41,6 +42,7 @@
     "GIT_INDEX_FILE",
     "GIT_NAMESPACE",
     "GIT_OBJECT_DIRECTORY",
+    "GIT_PROTOCOL_FROM_USER",
     "GIT_SEQUENCE_EDITOR",
     "GIT_SSL_CAINFO",
     "GIT_SSL_CAPATH",
@@ -257,5 +259,5 @@
     "YARN_RC_FILENAME",
     "ZDOTDIR"
   ],
-  "expectedTotalReportedEntries": 252
+  "expectedTotalReportedEntries": 254
 }
diff --git a/src/infra/host-env-security.reported-baseline.test.ts b/src/infra/host-env-security.reported-baseline.test.ts
@@ -97,7 +97,7 @@ describe("host env reported baseline coverage", () => {
       baseline.reportedDangerousEverywhereKeys.length +
         baseline.reportedDangerousOverrideOnlyKeys.length,
     ).toBe(baseline.expectedTotalReportedEntries);
-    expect(baseline.expectedTotalReportedEntries).toBe(252);
+    expect(baseline.expectedTotalReportedEntries).toBe(254);
     expect(sortUniqueUpper(baseline.reportedDangerousEverywhereKeys)).toEqual(
       baseline.reportedDangerousEverywhereKeys,
     );
@@ -119,6 +119,14 @@ describe("host env reported baseline coverage", () => {
     for (const key of baseline.reportedDangerousEverywhereKeys) {
       expect(isDangerousHostEnvVarName(key)).toBe(true);
       expect(isDangerousHostInheritedEnvVarName(key)).toBe(true);
+      if (key === "GIT_ALLOW_PROTOCOL") {
+        expect(inheritedSanitized[key]).toBe("");
+        continue;
+      }
+      if (key === "GIT_PROTOCOL_FROM_USER") {
+        expect(inheritedSanitized[key]).toBe(`${key.toLowerCase()}-from-inherited`);
+        continue;
+      }
       expect(inheritedSanitized[key]).toBeUndefined();
     }
 
diff --git a/src/infra/host-env-security.test.ts b/src/infra/host-env-security.test.ts
diff --git a/src/infra/host-env-security.ts b/src/infra/host-env-security.ts
