feat: US-109 - Filter dangerous env vars from child process spawn

Author: NathanFlurry

packages/secure-exec-node/src/bridge-setup.ts

@@ -45,6 +45,28 @@ import {
 } from "./isolate-bootstrap.js";
 import type { DriverDeps } from "./isolate-bootstrap.js";
 
+// Env vars that could hijack child processes (library injection, node flags)
+const DANGEROUS_ENV_KEYS = new Set([
+	"LD_PRELOAD",
+	"LD_LIBRARY_PATH",
+	"NODE_OPTIONS",
+	"DYLD_INSERT_LIBRARIES",
+]);
+
+/** Strip env vars that allow library injection or node flag smuggling. */
+function stripDangerousEnv(
+	env: Record<string, string> | undefined,
+): Record<string, string> | undefined {
+	if (!env) return env;
+	const result: Record<string, string> = {};
+	for (const [key, value] of Object.entries(env)) {
+		if (!DANGEROUS_ENV_KEYS.has(key)) {
+			result[key] = value;
+		}
+	}
+	return result;
+}
+
 type BridgeDeps = Pick<
 	DriverDeps,
 	| "filesystem"
@@ -459,7 +481,7 @@ export async function setupRequire(
 
 				const proc = executor.spawn(command, args, {
 					cwd: options.cwd,
-					env: options.env,
+					env: stripDangerousEnv(options.env),
 					onStdout: (data) => {
 						getDispatchRef().applySync(
 							undefined,
@@ -539,7 +561,7 @@ export async function setupRequire(
 
 				const proc = executor.spawn(command, args, {
 					cwd: options.cwd,
-					env: options.env,
+					env: stripDangerousEnv(options.env),
 					onStdout: (data) => {
 						if (maxBufferExceeded) return;
 						stdoutBytes += data.length;

packages/secure-exec/tests/runtime-driver/node/env-leakage.test.ts

@@ -1,7 +1,8 @@
 import { afterEach, describe, expect, it } from "vitest";
-import { allowAllEnv } from "../../../src/index.js";
+import { allowAllEnv, allowAllChildProcess } from "../../../src/index.js";
 import { createTestNodeRuntime } from "../../test-utils.js";
-import type { NodeRuntime } from "../../../src/index.js";
+import type { NodeRuntime, CommandExecutor } from "../../../src/index.js";
+import type { SpawnedProcess } from "../../../src/types.js";
 
 type CapturedConsoleEvent = {
 	channel: "stdout" | "stderr";
@@ -104,4 +105,79 @@ describe("runtime driver specific: node env leakage", () => {
 		expect(parsed.home).toBe(process.env.HOME ?? "/root");
 		expect(parsed.marker).toBe("env-positive-control");
 	});
+
+	// ---------------------------------------------------------------
+	// Dangerous env var filtering for child process spawn
+	// ---------------------------------------------------------------
+
+	function createCapturingExecutor() {
+		const calls: { command: string; args: string[]; env?: Record<string, string> }[] = [];
+		const executor: CommandExecutor = {
+			spawn(command, args, options): SpawnedProcess {
+				calls.push({ command, args, env: options?.env });
+				return {
+					writeStdin: () => {},
+					closeStdin: () => {},
+					kill: () => {},
+					wait: () => Promise.resolve(0),
+				};
+			},
+		};
+		return { executor, calls };
+	}
+
+	it("strips LD_PRELOAD from child process spawn env", async () => {
+		const { executor, calls } = createCapturingExecutor();
+		proc = createTestNodeRuntime({
+			permissions: { ...allowAllChildProcess },
+			commandExecutor: executor,
+		});
+		await proc.run(`
+			const cp = require('child_process');
+			cp.spawnSync('echo', ['hi'], {
+				env: { LD_PRELOAD: '/evil/lib.so', SAFE_VAR: 'ok' },
+			});
+		`);
+		expect(calls.length).toBe(1);
+		expect(calls[0].env).toBeDefined();
+		expect(calls[0].env!.LD_PRELOAD).toBeUndefined();
+		expect(calls[0].env!.SAFE_VAR).toBe("ok");
+	});
+
+	it("strips NODE_OPTIONS from child process spawn env", async () => {
+		const { executor, calls } = createCapturingExecutor();
+		proc = createTestNodeRuntime({
+			permissions: { ...allowAllChildProcess },
+			commandExecutor: executor,
+		});
+		await proc.run(`
+			const cp = require('child_process');
+			cp.spawnSync('echo', ['hi'], {
+				env: { NODE_OPTIONS: '--require=evil.js', PATH: '/usr/bin' },
+			});
+		`);
+		expect(calls.length).toBe(1);
+		expect(calls[0].env!.NODE_OPTIONS).toBeUndefined();
+		expect(calls[0].env!.PATH).toBe("/usr/bin");
+	});
+
+	it("normal env vars pass through child process spawn correctly", async () => {
+		const { executor, calls } = createCapturingExecutor();
+		proc = createTestNodeRuntime({
+			permissions: { ...allowAllChildProcess },
+			commandExecutor: executor,
+		});
+		await proc.run(`
+			const cp = require('child_process');
+			cp.spawnSync('echo', ['hi'], {
+				env: { PATH: '/usr/bin', HOME: '/home/test', CUSTOM: 'value' },
+			});
+		`);
+		expect(calls.length).toBe(1);
+		expect(calls[0].env).toEqual({
+			PATH: "/usr/bin",
+			HOME: "/home/test",
+			CUSTOM: "value",
+		});
+	});
 });