[Security] Environment variable blocklist incomplete — missing GLIBC_TUNABLES, JAVA_TOOL_OPTIONS, etc.

[Thxsry]

Summary

The host-env-security-policy.json blocks some dangerous environment variables, but is missing several that can be used for code injection or behavior modification.

Current State

src/infra/host-env-security-policy.json:

{
  "blockedKeys": [
    "NODE_OPTIONS",
    "NODE_PATH",
    "PYTHONHOME",
    "PYTHONPATH",
    "PERL5LIB",
    "PERL5OPT",
    "RUBYLIB",
    "RUBYOPT",
    "BASH_ENV",
    "ENV",
    "GCONV_PATH",
    "IFS",
    "SSLKEYLOGFILE"
  ],
  "blockedPrefixes": ["DYLD_", "LD_", "BASH_FUNC_"]
}

Missing Dangerous Variables

Variable	Risk	Description
GLIBC_TUNABLES	Code injection	glibc dynamic linker behavior modification
JAVA_TOOL_OPTIONS	Code injection	Java JVM options injection
JDK_JAVA_OPTIONS	Code injection	Java 9+ JVM options
LD_AUDIT	Code injection	Dynamic linker audit library
OPENCLAW_*	Behavior modification	Could affect OpenClaw behavior from user-provided env

Attack Vector

If an attacker gains access to the exec tool (even with allowlist mode), they could inject code via:

GLIBC_TUNABLES=glibc.tune.hwcaps=-AVX512F some_command
JAVA_TOOL_OPTIONS="-Djava.security.manager=..." java_app

Suggested Fix

{
  "blockedKeys": [
    "NODE_OPTIONS",
    "NODE_PATH",
    "PYTHONHOME",
    "PYTHONPATH",
    "PERL5LIB",
    "PERL5OPT",
    "RUBYLIB",
    "RUBYOPT",
    "BASH_ENV",
    "ENV",
    "GCONV_PATH",
    "IFS",
    "SSLKEYLOGFILE",
    "GLIBC_TUNABLES",
    "JAVA_TOOL_OPTIONS",
    "JDK_JAVA_OPTIONS",
    "LD_AUDIT"
  ],
  "blockedPrefixes": ["DYLD_", "LD_", "BASH_FUNC_", "OPENCLAW_"]
}

Severity

Medium - Requires exec tool access, but could lead to privilege escalation or sandbox escape.

Related

• Security audit conducted on 2026-02-21
• Verified that existing SSRF, path traversal, and URL navigation protections are correctly implemented

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[dendrite-soup]

GHSA-2fgq-7j6h-9rm4 (published today) is a direct confirmation of this issue's core point — SHELLOPTS and PS4 were missing from the blocklist and enabled RCE via bash xtrace expansion before the allowlisted command body even ran. They're patched now in 2026.2.22, but the fix is still additive: two more entries on the blocklist.

The fundamental problem with the blocklist approach is that it's an enumeration of known-dangerous variables, and the set of dangerous variables is not closed. Every language runtime, every framework, every linker adds new ones. The original reporter's list was good; the SHELLOPTS/PS4 advisory proves it was still incomplete.

Two more that aren't on the list and should be:

• PYTHONSTARTUP — Python executes the file at this path on interpreter startup, before any script runs. Equivalent to BASH_ENV for Python.
• RUBYOPT is already blocked, but RUBY_THREAD_VM_STACK_SIZE and RUBY_FIBER_VM_STACK_SIZE can be used for stack exhaustion DoS if a Ruby process runs in the exec context.

The durable fix isn't a longer blocklist — it's flipping to an allowlist for request-scoped env overrides. The SHELLOPTS/PS4 advisory fix actually moves in this direction for shell wrappers specifically (reduce to TERM, LANG, LC_*, COLORTERM, NO_COLOR, FORCE_COLOR). That pattern should be the default for all exec paths, not just shell wrappers.