fix: clear environment variables in shell tool to prevent secret leakage

Browse source

This fix addresses CWE-200 by clearing environment variables before
executing shell commands and only re-adding safe, functional variables.

- Add SAFE_ENV_VARS constant with whitelist of safe variables
- Use .env_clear() before executing commands
- Add tests for environment variable isolation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

...

This commit is contained in:

Argenis 2026-02-15 08:24:01 -05:00 • committed by GitHub

parent 1e19b12efd

commit b722189ef1

No known key found for this signature in database

GPG key ID: B5690EEEBB952194

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download patch file Download diff file Expand all files Collapse all files

Diff content is not available