#8139: fix(config): block dangerous environment variables from config.env

## Summary Block dangerous environment variables from being set via `config.env.vars` to prevent code injection attacks. ## The Problem The `applyConfigEnv()` function sets user-controlled config `env.vars` directly into the global `process.env` without filtering dangerous variables like `NODE_OPTIONS`, `LD_PRELOAD`, or `DYLD_INSERT_LIBRARIES`. All subsequent child process spawns (npm install, Chrome browser, shell commands, Docker containers) inherit these environment variables, enabling arbitrary code execution. An attacker could distribute a malicious `openclaw.json5` config file with: ```json { "env": { "vars": { "NODE_OPTIONS": "--require=/tmp/malicious.js" } } } ``` Any Node.js child process would then load the malicious code. ## Changes - `src/config/io.ts`: Added blocklist for dangerous environment variables and pattern matching for `LD_*` and `DYLD_*` prefixes - `src/config/config.dangerous-env-vars.test.ts`: Added tests verifying blocked variables and allowing safe variables ### Blocked Variables - **Node.js injection**: `NODE_OPTIONS`, `NODE_PATH`, `NODE_REPL_HISTORY` - **Linux library injection**: `LD_PRELOAD`, `LD_LIBRARY_PATH`, `LD_AUDIT`, and all `LD_*` - **macOS library injection**: `DYLD_INSERT_LIBRARIES`, `DYLD_LIBRARY_PATH`, and all `DYLD_*` - **Python injection**: `PYTHONPATH`, `PYTHONSTARTUP`, `PYTHONHOME` - **Perl injection**: `PERL5LIB`, `PERLLIB`, `PERL5OPT` - **Ruby injection**: `RUBYLIB`, `RUBYOPT` - **Shell injection**: `BASH_ENV`, `ENV` ## Test Plan - [x] `pnpm build && pnpm check && pnpm test` passes - [x] New test `describe('config dangerous env var blocking')` validates the fix - [x] Verified dangerous variables are silently blocked - [x] Verified safe variables (API keys, custom vars) still work ## Related - [CWE-94](https://cwe.mitre.org/data/definitions/94.html) - Improper Control of Generation of Code - Internal audit ref: VULN-159 --- *Built with [bitsec-ai](https://github.com/bitsec-ai). AI-assisted: Yes. Testing: fully tested (test written before fix). Code reviewed and understood.* <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR hardens config loading by preventing `config.env.vars` from setting environment variables commonly used for interpreter/dynamic loader injection (e.g., `NODE_OPTIONS`, `LD_*`, `DYLD_*`, `PYTHONPATH`, `BASH_ENV`) before those vars get merged into `process.env`. It adds a blocklist/prefix-based filter in `src/config/io.ts` and introduces a focused Vitest suite to validate that dangerous variables are not applied while typical “safe” variables still are. <h3>Confidence Score: 4/5</h3> - This PR is generally safe to merge and improves security, with one notable edge-case bypass to address. - The change is localized (only filters env var application) and has targeted tests, but the current dangerous-var check is case-sensitive for exact-match entries, which may allow bypasses if config keys aren’t normalized upstream. - src/config/io.ts (case-insensitive matching); src/config/config.dangerous-env-vars.test.ts (add mixed/lowercase coverage) <!-- greptile_other_comments_section --> <!-- /greptile_comment -->