fix: share git inherited env sanitization

pgondhi987 · pgondhi987 · commit c422f19b48c8 · 2026-06-09T15:01:41.000Z
diff --git a/src/agents/bash-tools.exec-runtime.test.ts b/src/agents/bash-tools.exec-runtime.test.ts
@@ -34,6 +34,7 @@ let formatExecFailureReason: typeof import("./bash-tools.exec-runtime.js").forma
 let renderExecUpdateText: typeof import("./bash-tools.exec-runtime.js").renderExecUpdateText;
 let resolveExecTarget: typeof import("./bash-tools.exec-runtime.js").resolveExecTarget;
 let runExecProcess: typeof import("./bash-tools.exec-runtime.js").runExecProcess;
+let sanitizeHostBaseEnv: typeof import("./bash-tools.exec-runtime.js").sanitizeHostBaseEnv;
 
 beforeAll(async () => {
   ({ markBackgrounded } = await import("./bash-process-registry.js"));
@@ -45,6 +46,7 @@ beforeAll(async () => {
     renderExecUpdateText,
     resolveExecTarget,
     runExecProcess,
+    sanitizeHostBaseEnv,
   } = await import("./bash-tools.exec-runtime.js"));
 });
 
@@ -113,6 +115,33 @@ describe("detectCursorKeyMode", () => {
   });
 });
 
+describe("sanitizeHostBaseEnv", () => {
+  it("uses value-aware Git protocol inherited env sanitization", () => {
+    expect(
+      sanitizeHostBaseEnv({
+        PATH: "/usr/bin:/bin",
+        GIT_ALLOW_PROTOCOL: "https:ext:ssh",
+        GIT_PROTOCOL_FROM_USER: "1",
+        GIT_SSH_COMMAND: "touch /tmp/pwned",
+        SAFE: "ok",
+      }),
+    ).toEqual({
+      PATH: "/usr/bin:/bin",
+      GIT_ALLOW_PROTOCOL: "https:ssh",
+      GIT_PROTOCOL_FROM_USER: "0",
+      SAFE: "ok",
+    });
+
+    expect(
+      sanitizeHostBaseEnv({
+        GIT_PROTOCOL_FROM_USER: "false",
+      }),
+    ).toEqual({
+      GIT_PROTOCOL_FROM_USER: "false",
+    });
+  });
+});
+
 describe("resolveExecTarget", () => {
   it("keeps implicit auto on sandbox when a sandbox runtime is available", () => {
     expectExecTarget(
diff --git a/src/agents/bash-tools.exec-runtime.ts b/src/agents/bash-tools.exec-runtime.ts
@@ -19,7 +19,10 @@ import {
   type ExecTarget,
 } from "../infra/exec-approvals.js";
 import { requestHeartbeat } from "../infra/heartbeat-wake.js";
-import { isDangerousHostInheritedEnvVarName } from "../infra/host-env-security.js";
+import {
+  isDangerousHostInheritedEnvVarName,
+  sanitizeHostInheritedEnvEntry,
+} from "../infra/host-env-security.js";
 import { findPathKey, mergePathPrepend, removePathPrepend } from "../infra/path-prepend.js";
 import { enqueueSystemEvent } from "../infra/system-events.js";
 import { isSubagentSessionKey } from "../sessions/session-key-utils.js";
@@ -93,15 +96,12 @@ export function detectCursorKeyMode(raw: string): "application" | "normal" | nul
 export function sanitizeHostBaseEnv(env: Record<string, string>): Record<string, string> {
   const sanitized: Record<string, string> = {};
   for (const [key, value] of Object.entries(env)) {
-    const upperKey = key.toUpperCase();
-    if (upperKey === "PATH") {
-      sanitized[key] = value;
-      continue;
-    }
-    if (isDangerousHostInheritedEnvVarName(upperKey)) {
+    const sanitizedEntry = sanitizeHostInheritedEnvEntry(key, value);
+    if (!sanitizedEntry) {
       continue;
     }
-    sanitized[key] = value;
+    const [sanitizedKey, sanitizedValue] = sanitizedEntry;
+    sanitized[sanitizedKey] = sanitizedValue;
   }
   return sanitized;
 }
diff --git a/src/infra/host-env-security.ts b/src/infra/host-env-security.ts
@@ -174,6 +174,33 @@ function sanitizeInheritedGitAllowProtocolValue(value: string): string {
   return safeProtocols.join(":");
 }
 
+export function sanitizeHostInheritedEnvEntry(
+  rawKey: string,
+  value: string,
+): [string, string] | null {
+  const key = normalizeEnvVarKey(rawKey);
+  if (!key) {
+    return null;
+  }
+  // Preserve inherited Git allowlists without widening malformed or unsafe entries by deletion.
+  // Protocols outside Git's safe default set are removed instead of being passed through.
+  if (key.toUpperCase() === GIT_ALLOW_PROTOCOL_ENV_KEY) {
+    return [key, sanitizeInheritedGitAllowProtocolValue(value)];
+  }
+  // Preserve non-permissive Git boolean values. Permissive values must become explicit `0`
+  // because Git's unset default still permits protocols with policy `user`.
+  if (key.toUpperCase() === GIT_PROTOCOL_FROM_USER_ENV_KEY) {
+    return [
+      key,
+      isPermissiveGitProtocolFromUserValue(value) ? GIT_PROTOCOL_FROM_USER_DISABLED_VALUE : value,
+    ];
+  }
+  if (isDangerousHostInheritedEnvVarName(key)) {
+    return null;
+  }
+  return [key, value];
+}
+
 function sanitizeHostEnvOverridesWithDiagnostics(params?: {
   overrides?: Record<string, string> | null;
   blockPathOverrides?: boolean;
@@ -236,26 +263,12 @@ export function sanitizeHostExecEnvWithDiagnostics(params?: {
 
   const merged: Record<string, string> = {};
   for (const [key, value] of listNormalizedEnvEntries(baseEnv)) {
-    // Preserve inherited Git allowlists without widening malformed or unsafe entries by deletion.
-    // Protocols outside Git's safe default set are removed instead of being passed through.
-    if (key.toUpperCase() === GIT_ALLOW_PROTOCOL_ENV_KEY) {
-      merged[key] = sanitizeInheritedGitAllowProtocolValue(value);
-      continue;
-    }
-    // Preserve non-permissive Git boolean values. Permissive values must become explicit `0`
-    // because Git's unset default still permits protocols with policy `user`.
-    if (key.toUpperCase() === GIT_PROTOCOL_FROM_USER_ENV_KEY) {
-      if (!isPermissiveGitProtocolFromUserValue(value)) {
-        merged[key] = value;
-      } else {
-        merged[key] = GIT_PROTOCOL_FROM_USER_DISABLED_VALUE;
-      }
-      continue;
-    }
-    if (isDangerousHostInheritedEnvVarName(key)) {
+    const sanitizedEntry = sanitizeHostInheritedEnvEntry(key, value);
+    if (!sanitizedEntry) {
       continue;
     }
-    merged[key] = value;
+    const [sanitizedKey, sanitizedValue] = sanitizedEntry;
+    merged[sanitizedKey] = sanitizedValue;
   }
 
   const overrideResult = sanitizeHostEnvOverridesWithDiagnostics({
