Skip to content

fix(interpreter): filter SHOPT_ variables from set/declare output#1218

Merged
chaliy merged 1 commit intomainfrom
fix/1186-filter-shopt-internal-vars
Apr 11, 2026
Merged

fix(interpreter): filter SHOPT_ variables from set/declare output#1218
chaliy merged 1 commit intomainfrom
fix/1186-filter-shopt-internal-vars

Conversation

@chaliy
Copy link
Copy Markdown
Contributor

@chaliy chaliy commented Apr 11, 2026

Summary

Closes #1186

  • Add SHOPT_ prefix to is_internal_variable() filter to prevent implementation fingerprinting
  • SHOPT_* variables (e.g. SHOPT_e, SHOPT_pipefail) are internal bookkeeping and should not appear in set or declare -p output

Test plan

  • security_audit_set_hides_shopt_vars — verifies set output has no SHOPT_ variables
  • security_audit_declare_p_hides_shopt_vars — verifies declare -p output has no SHOPT_ variables
  • All 4 internal_variable_leak security tests pass

@chaliy
fix(interpreter): filter SHOPT_ internal variables from set and decla…
d0db2a4 
…re output

SHOPT_* variables (e.g. SHOPT_e, SHOPT_pipefail) are internal
implementation details used to track shell options. They were visible
via `set` and `declare -p`, enabling implementation fingerprinting.

Add SHOPT_ prefix to is_internal_variable() and add security tests
verifying both `set` and `declare -p` filter these variables.

Closes #1186
@chaliy chaliy merged commit 7a791f5 into main Apr 11, 2026
27 checks passed
@chaliy chaliy deleted the fix/1186-filter-shopt-internal-vars branch April 11, 2026 17:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

sec(interpreter): declare -p and set may expose internal implementation variables to scripts

1 participant

@chaliy