fix: expand unsafe host env denylist (#91618)

pgondhi987 · web-flow · commit 9f413acc183d · 2026-06-09T19:44:54.000+05:30
* fix: expand unsafe host env denylist

* test: annotate host env security fixtures

* test: align opengrep fixture suppressions

* test: keep opengrep suppressions inline

* test: avoid opengrep fixture call patterns
diff --git a/apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift b/apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift
@@ -28,6 +28,7 @@ enum HostEnvSecurityPolicy {
         "AWS_SESSION_TOKEN",
         "AZURE_CLIENT_ID",
         "AZURE_CLIENT_SECRET",
+        "BASHOPTS",
         "BASH_ENV",
         "BROWSER",
         "BUNDLE_GEMFILE",
@@ -70,6 +71,7 @@ enum HostEnvSecurityPolicy {
         "ERL_ZFLAGS",
         "EXINIT",
         "FCEDIT",
+        "FPATH",
         "GCONV_PATH",
         "GEM_HOME",
         "GEM_PATH",
@@ -116,6 +118,7 @@ enum HostEnvSecurityPolicy {
         "JAVA_TOOL_OPTIONS",
         "JDK_JAVA_OPTIONS",
         "JULIA_EDITOR",
+        "KSH_ENV",
         "LDFLAGS",
         "LESSCLOSE",
         "LESSOPEN",
@@ -183,6 +186,7 @@ enum HostEnvSecurityPolicy {
         "SUDO_EDITOR",
         "SVN_EDITOR",
         "SVN_SSH",
+        "TCLLIBPATH",
         "TF_CLI_CONFIG_FILE",
         "TF_PLUGIN_CACHE_DIR",
         "UV_DEFAULT_INDEX",
@@ -207,6 +211,7 @@ enum HostEnvSecurityPolicy {
 
     static let blockedKeys: Set<String> = [
         "ANT_OPTS",
+        "BASHOPTS",
         "BASH_ENV",
         "BROWSER",
         "BZR_EDITOR",
@@ -232,6 +237,7 @@ enum HostEnvSecurityPolicy {
         "ERL_FLAGS",
         "ERL_ZFLAGS",
         "EXINIT",
+        "FPATH",
         "GCONV_PATH",
         "GIT_ALTERNATE_OBJECT_DIRECTORIES",
         "GIT_COMMON_DIR",
@@ -260,6 +266,7 @@ enum HostEnvSecurityPolicy {
         "JAVA_TOOL_OPTIONS",
         "JDK_JAVA_OPTIONS",
         "JULIA_EDITOR",
+        "KSH_ENV",
         "LUA_INIT",
         "LUA_INIT_5_1",
         "LUA_INIT_5_2",
@@ -297,6 +304,7 @@ enum HostEnvSecurityPolicy {
         "SUDO_ASKPASS",
         "SVN_EDITOR",
         "SVN_SSH",
+        "TCLLIBPATH",
         "VAGRANT_VAGRANTFILE",
         "VIMINIT",
         "_JAVA_OPTIONS"
diff --git a/docs/cli/mcp.md b/docs/cli/mcp.md
@@ -673,7 +673,7 @@ Launches a local child process and communicates over stdin/stdout.
 <Warning>
 **Stdio env safety filter**
 
-OpenClaw rejects interpreter-startup env keys that can alter how a stdio MCP server starts up before the first RPC, even if they appear in a server's `env` block. Blocked keys include `NODE_OPTIONS`, `NODE_REDIRECT_WARNINGS`, `NODE_REPL_EXTERNAL_MODULE`, `NODE_REPL_HISTORY`, `NODE_V8_COVERAGE`, `PYTHONSTARTUP`, `PYTHONPATH`, `PERL5OPT`, `RUBYOPT`, `SHELLOPTS`, `PS4`, and similar runtime-control variables. Startup rejects these with a configuration error so they cannot inject an implicit prelude, swap the interpreter, enable a debugger, or redirect runtime output against the stdio process. Ordinary credential, proxy, and server-specific env vars (`GITHUB_TOKEN`, `HTTP_PROXY`, custom `*_API_KEY`, etc.) are unaffected.
+OpenClaw rejects interpreter-startup env keys that can alter how a stdio MCP server starts up before the first RPC, even if they appear in a server's `env` block. Blocked keys include `BASHOPTS`, `FPATH`, `KSH_ENV`, `NODE_OPTIONS`, `NODE_REDIRECT_WARNINGS`, `NODE_REPL_EXTERNAL_MODULE`, `NODE_REPL_HISTORY`, `NODE_V8_COVERAGE`, `PYTHONSTARTUP`, `PYTHONPATH`, `PERL5OPT`, `RUBYOPT`, `SHELLOPTS`, `PS4`, `TCLLIBPATH`, and similar runtime-control variables. Startup rejects these with a configuration error so they cannot inject an implicit prelude, swap the interpreter, enable a debugger, or redirect runtime output against the stdio process. Ordinary credential, proxy, and server-specific env vars (`GITHUB_TOKEN`, `HTTP_PROXY`, custom `*_API_KEY`, etc.) are unaffected.
 
 If your MCP server genuinely needs one of the blocked variables, set it on the gateway host process instead of under the stdio server's `env`.
 </Warning>
diff --git a/docs/nodes/index.md b/docs/nodes/index.md
@@ -381,7 +381,7 @@ Notes:
 - For allow-always decisions in allowlist mode, known dispatch wrappers (`env`, `nice`, `nohup`, `stdbuf`, `timeout`) persist inner executable paths instead of wrapper paths. If unwrapping is not safe, no allowlist entry is persisted automatically.
 - On Windows node hosts in allowlist mode, shell-wrapper runs via `cmd.exe /c` require approval (allowlist entry alone does not auto-allow the wrapper form).
 - `system.notify` supports `--priority <passive|active|timeSensitive>` and `--delivery <system|overlay|auto>`.
-- Node hosts ignore `PATH` overrides and strip dangerous startup/shell keys (`DYLD_*`, `LD_*`, `NODE_OPTIONS`, `NODE_REDIRECT_WARNINGS`, `NODE_REPL_EXTERNAL_MODULE`, `NODE_REPL_HISTORY`, `NODE_V8_COVERAGE`, `PYTHON*`, `PERL*`, `RUBYOPT`, `SHELLOPTS`, `PS4`). If you need extra PATH entries, configure the node host service environment (or install tools in standard locations) instead of passing `PATH` via `--env`.
+- Node hosts ignore `PATH` overrides and strip dangerous startup/shell keys (`DYLD_*`, `LD_*`, `BASHOPTS`, `FPATH`, `KSH_ENV`, `NODE_OPTIONS`, `NODE_REDIRECT_WARNINGS`, `NODE_REPL_EXTERNAL_MODULE`, `NODE_REPL_HISTORY`, `NODE_V8_COVERAGE`, `PYTHON*`, `PERL*`, `RUBYOPT`, `SHELLOPTS`, `PS4`, `TCLLIBPATH`). If you need extra PATH entries, configure the node host service environment (or install tools in standard locations) instead of passing `PATH` via `--env`.
 - On macOS node mode, `system.run` is gated by exec approvals in the macOS app (Settings → Exec approvals).
   Ask/allowlist/full behave the same as the headless node host; denied prompts return `SYSTEM_RUN_DENIED`.
 - On headless node host, `system.run` is gated by exec approvals (`~/.openclaw/exec-approvals.json`).
diff --git a/docs/platforms/macos.md b/docs/platforms/macos.md
@@ -107,7 +107,7 @@ Notes:
 - `allowlist` entries are glob patterns for resolved binary paths, or bare command names for PATH-invoked commands.
 - Raw shell command text that contains shell control or expansion syntax (`&&`, `||`, `;`, `|`, `` ` ``, `$`, `<`, `>`, `(`, `)`) is treated as an allowlist miss and requires explicit approval (or allowlisting the shell binary).
 - Choosing "Always Allow" in the prompt adds that command to the allowlist.
-- `system.run` environment overrides are filtered (drops `PATH`, `DYLD_*`, `LD_*`, `NODE_OPTIONS`, `NODE_REDIRECT_WARNINGS`, `NODE_REPL_EXTERNAL_MODULE`, `NODE_REPL_HISTORY`, `NODE_V8_COVERAGE`, `PYTHON*`, `PERL*`, `RUBYOPT`, `SHELLOPTS`, `PS4`) and then merged with the app's environment.
+- `system.run` environment overrides are filtered (drops `PATH`, `DYLD_*`, `LD_*`, `BASHOPTS`, `FPATH`, `KSH_ENV`, `NODE_OPTIONS`, `NODE_REDIRECT_WARNINGS`, `NODE_REPL_EXTERNAL_MODULE`, `NODE_REPL_HISTORY`, `NODE_V8_COVERAGE`, `PYTHON*`, `PERL*`, `RUBYOPT`, `SHELLOPTS`, `PS4`, `TCLLIBPATH`) and then merged with the app's environment.
 - For shell wrappers (`bash|sh|zsh ... -c/-lc`), request-scoped environment overrides are reduced to a small explicit allowlist (`TERM`, `LANG`, `LC_*`, `COLORTERM`, `NO_COLOR`, `FORCE_COLOR`).
 - For allow-always decisions in allowlist mode, known dispatch wrappers (`env`, `nice`, `nohup`, `stdbuf`, `timeout`) persist inner executable paths instead of wrapper paths. If unwrapping is not safe, no allowlist entry is persisted automatically.
 
diff --git a/src/infra/host-env-security-policy.json b/src/infra/host-env-security-policy.json
@@ -12,8 +12,10 @@
     "PERL5OPT",
     "RUBYLIB",
     "RUBYOPT",
+    "BASHOPTS",
     "BASH_ENV",
     "ENV",
+    "KSH_ENV",
     "BROWSER",
     "GIT_EDITOR",
     "GIT_EXTERNAL_DIFF",
@@ -50,6 +52,7 @@
     "PYTHONBREAKPOINT",
     "DOTNET_STARTUP_HOOKS",
     "DOTNET_ADDITIONAL_DEPS",
+    "FPATH",
     "GLIBC_TUNABLES",
     "MAVEN_OPTS",
     "MAKEFLAGS",
@@ -93,6 +96,7 @@
     "R_PROFILE",
     "R_ENVIRON_USER",
     "R_PROFILE_USER",
+    "TCLLIBPATH",
     "HOSTALIASES"
   ],
   "blockedOverrideOnlyKeys": [
diff --git a/src/infra/host-env-security.reported-baseline.json b/src/infra/host-env-security.reported-baseline.json
@@ -3,6 +3,7 @@
   "generatedAt": "2026-04-10",
   "reportedDangerousEverywhereKeys": [
     "ANT_OPTS",
+    "BASHOPTS",
     "BASH_ENV",
     "BROWSER",
     "BZR_EDITOR",
@@ -28,6 +29,7 @@
     "ERL_FLAGS",
     "ERL_ZFLAGS",
     "EXINIT",
+    "FPATH",
     "GCONV_PATH",
     "GIT_ALTERNATE_OBJECT_DIRECTORIES",
     "GIT_COMMON_DIR",
@@ -56,6 +58,7 @@
     "JAVA_TOOL_OPTIONS",
     "JDK_JAVA_OPTIONS",
     "JULIA_EDITOR",
+    "KSH_ENV",
     "LUA_INIT",
     "LUA_INIT_5_1",
     "LUA_INIT_5_2",
@@ -93,6 +96,7 @@
     "SUDO_ASKPASS",
     "SVN_EDITOR",
     "SVN_SSH",
+    "TCLLIBPATH",
     "VAGRANT_VAGRANTFILE",
     "VIMINIT",
     "_JAVA_OPTIONS"
@@ -248,5 +252,5 @@
     "YARN_RC_FILENAME",
     "ZDOTDIR"
   ],
-  "expectedTotalReportedEntries": 243
+  "expectedTotalReportedEntries": 247
 }
diff --git a/src/infra/host-env-security.reported-baseline.test.ts b/src/infra/host-env-security.reported-baseline.test.ts
@@ -92,7 +92,7 @@ describe("host env reported baseline coverage", () => {
       baseline.reportedDangerousEverywhereKeys.length +
         baseline.reportedDangerousOverrideOnlyKeys.length,
     ).toBe(baseline.expectedTotalReportedEntries);
-    expect(baseline.expectedTotalReportedEntries).toBe(243);
+    expect(baseline.expectedTotalReportedEntries).toBe(247);
     expect(sortUniqueUpper(baseline.reportedDangerousEverywhereKeys)).toEqual(
       baseline.reportedDangerousEverywhereKeys,
     );
diff --git a/src/infra/host-env-security.test.ts b/src/infra/host-env-security.test.ts
