Skip to content

security: isolate agent shell commands from parent environment#25

Merged
enowdev merged 1 commit into
enowdev:mainfrom
aguung:security/env-isolation-run-command
May 15, 2026
Merged

security: isolate agent shell commands from parent environment#25
enowdev merged 1 commit into
enowdev:mainfrom
aguung:security/env-isolation-run-command

Conversation

@aguung
Copy link
Copy Markdown

@aguung aguung commented May 14, 2026
edited
Loading

Description

Agent-spawned shell commands previously inherited all environment variables from the desktop app process. This means API keys, credentials, or any secret stored in the host environment could be read by an agent simply by running env or printenv. This PR fixes the leak by calling env_clear() before spawning child processes, then forwarding only the minimum required variables (PATH, LANG, LC_ALL).

Type of Change

  • Bug fix (non-breaking change that fixes an issue)

How Has This Been Tested?

  • cargo clippy -- -D warnings passes (Rust) — could not run in current environment due to missing GTK system deps on WSL
  • bunx tsc --noEmit passes (TypeScript) — no TypeScript changes in this PR
  • Manual testing steps below

Manual verification:

  • Reviewed diff: env_clear() is placed before stdout/stderr piping on the command builder
  • Confirmed only PATH, LANG, LC_ALL are forwarded — no other env vars passed through
  • Added test_run_command_env_isolation test that sets a secret env var in the parent process and asserts it is not visible inside an agent command

Checklist

  • My code follows the project's style guidelines
  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my fix is effective or that my feature works

@kluthuuq
security: isolate agent shell commands from parent environment
af9b519 
Prevent environment variable leakage to agent-spawned processes.
Previously, run_command() inherited all env vars from the desktop app
process (API keys, HOME, credentials). Now env_clear() wipes the
slate and only PATH, LANG, and LC_ALL are passed through — enough
for shell tools to find binaries and handle encoding correctly.

Also adds test_run_command_env_isolation to assert that secrets set
in the parent process are not visible to agent commands.
@enowdev enowdev merged commit 79d3e6a into enowdev:main May 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@enowdev enowdev enowdev approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aguung @enowdev @kluthuuq