put some guards at critical runtime env vars

This commit is contained in:
macm1
2026-02-23 18:17:14 +03:00
parent 5003263eef
commit 0dea325473
4 changed files with 31 additions and 1 deletions
+1 -1
View File
@@ -251,7 +251,7 @@ All options are set via **Settings → Apps/Add-ons → OpenClaw Assistant → C
When `gateway_auth_mode: trusted-proxy` is used, the add-on sets `gateway.auth.trustedProxy.userHeader` to `x-forwarded-user` by default.
| `force_ipv4_dns` | bool | `false` | Force IPv4-first DNS ordering for Node network calls. Useful if IPv6 DNS resolves but IPv6 egress is broken (can affect Telegram API polling). |
| `gateway_env_vars` | map(string) | `{}` | Environment variables exported to the gateway process at startup. Use YAML map format (for example `OPENAI_API_KEY: "sk-..."`). Limits: max 50 vars, key length 255, value length 10000. |
| `gateway_env_vars` | map(string) | `{}` | Environment variables exported to the gateway process at startup. Use YAML map format (for example `SERVICE_API_KEY: "..."`). Limits: max 50 vars, key length 255, value length 10000. Reserved runtime keys are blocked (for example `PATH`, `HOME`, `NODE_OPTIONS`, `NODE_PATH`, `OPENCLAW_*`, proxy vars). |
### Terminal
+1
View File
@@ -6,6 +6,7 @@ All notable changes to the OpenClaw Assistant Home Assistant Add-on will be docu
### Fixed
- **`web_fetch failed: fetch failed`**: changed `force_ipv4_dns` default to **true**. Node 22 tries IPv6 first; most HAOS VMs lack IPv6 egress, causing outbound `web_fetch` / HTTP tool calls to time out.
- **`gateway_env_vars` safety**: block overrides for reserved runtime variables (for example `PATH`, `HOME`, `NODE_OPTIONS`, `NODE_PATH`, `OPENCLAW_*`, proxy vars) to prevent accidental startup/security regressions.
### Added
- **`nginx_log_level` option** (`minimal` / `full`, default `minimal`): suppresses repetitive Home Assistant health-check and polling requests (`GET /`, `GET /v1/models`, `POST /tools/invoke`) from the nginx access log.
+2
View File
@@ -116,6 +116,8 @@ options:
# Feature flags:
# FEATURE_FLAG_X: "1"
# FEATURE_FLAG_Y: "0"
# Reserved keys are blocked to protect runtime/security
# (e.g. PATH, HOME, NODE_OPTIONS, NODE_PATH, OPENCLAW_*, proxy vars).
# Limits: max 50 variables, max key length 255 chars, max value length 10000 chars
gateway_env_vars: {}
+27
View File
@@ -190,6 +190,27 @@ export PNPM_HOME="${PERSISTENT_NODE_GLOBAL}/pnpm"
mkdir -p "$PNPM_HOME"
export PATH="${PNPM_HOME}:${PATH}"
# Protect critical runtime variables from accidental override via gateway_env_vars.
is_reserved_gateway_env_var() {
case "$1" in
# Critical runtime paths/process vars.
HOME|PATH|PWD|OLDPWD|SHLVL|TZ|XDG_CONFIG_HOME|PNPM_HOME|NODE_PATH|NODE_OPTIONS|NODE_NO_WARNINGS)
return 0
;;
# Proxy vars managed by add-on options.
HTTP_PROXY|HTTPS_PROXY|NO_PROXY|http_proxy|https_proxy|no_proxy)
return 0
;;
# Add-on internal control vars.
OPENCLAW_*)
return 0
;;
*)
return 1
;;
esac
}
# Export gateway environment variables from add-on config
# These are user-defined variables that should be available to the gateway process
if [ "$GW_ENV_VARS" != "{}" ] && [ -n "$GW_ENV_VARS" ]; then
@@ -212,6 +233,12 @@ if [ "$GW_ENV_VARS" != "{}" ] && [ -n "$GW_ENV_VARS" ]; then
continue
fi
# Protect critical runtime variables from accidental override.
if is_reserved_gateway_env_var "$key"; then
echo "WARN: Reserved environment variable '$key' cannot be overridden via gateway_env_vars (skip)"
continue
fi
# Enforce max variable name length
if [ ${#key} -gt $max_var_name_size ]; then
echo "WARN: Environment variable name too long: '$key' (max $max_var_name_size chars, skip)"