fix(core): trust explicitly allowed variables over name patterns

This removes the `NEVER_ALLOWED_NAME_PATTERNS` filter from `getSecureSanitizationConfig`.

Previously, if a user explicitly added a variable like `GH_TOKEN` to their `allowedEnvironmentVariables` in `settings.json`, it would be silently dropped during configuration parsing because it matched the `NEVER_ALLOWED_NAME_PATTERNS` regex.

This change ensures that explicit user allowlists take precedence over heuristic name-based pattern matching, while still maintaining the strict blocklist for known highly-sensitive system variables (`NEVER_ALLOWED_ENVIRONMENT_VARIABLES`).
This commit is contained in:
Christian Gunderman
2026-05-13 16:11:34 -07:00
parent d17a813cc3
commit 03877eae3b
2 changed files with 4 additions and 9 deletions
@@ -370,15 +370,16 @@ describe('getSecureSanitizationConfig', () => {
);
});
it('should filter out variables from allowed list that match NEVER_ALLOWED_NAME_PATTERNS', () => {
it('should not filter out variables from allowed list that match NEVER_ALLOWED_NAME_PATTERNS', () => {
const requestedConfig = {
allowedEnvironmentVariables: ['SAFE_VAR', 'MY_SECRET_TOKEN'],
allowedEnvironmentVariables: ['SAFE_VAR', 'MY_SECRET_TOKEN', 'GH_TOKEN'],
};
const config = getSecureSanitizationConfig(requestedConfig);
expect(config.allowedEnvironmentVariables).toContain('SAFE_VAR');
expect(config.allowedEnvironmentVariables).not.toContain('MY_SECRET_TOKEN');
expect(config.allowedEnvironmentVariables).toContain('MY_SECRET_TOKEN');
expect(config.allowedEnvironmentVariables).toContain('GH_TOKEN');
});
it('should deduplicate variables in allowed and blocked lists', () => {
@@ -214,12 +214,6 @@ export function getSecureSanitizationConfig(
if (NEVER_ALLOWED_ENVIRONMENT_VARIABLES.has(upperKey)) {
return false;
}
// Never allow variables that match sensitive name patterns
for (const pattern of NEVER_ALLOWED_NAME_PATTERNS) {
if (pattern.test(upperKey)) {
return false;
}
}
return true;
});