From 03877eae3b981f5e13027f1c91b4c5a906377388 Mon Sep 17 00:00:00 2001 From: Christian Gunderman Date: Wed, 13 May 2026 16:11:34 -0700 Subject: [PATCH] fix(core): trust explicitly allowed variables over name patterns This removes the `NEVER_ALLOWED_NAME_PATTERNS` filter from `getSecureSanitizationConfig`. Previously, if a user explicitly added a variable like `GH_TOKEN` to their `allowedEnvironmentVariables` in `settings.json`, it would be silently dropped during configuration parsing because it matched the `NEVER_ALLOWED_NAME_PATTERNS` regex. This change ensures that explicit user allowlists take precedence over heuristic name-based pattern matching, while still maintaining the strict blocklist for known highly-sensitive system variables (`NEVER_ALLOWED_ENVIRONMENT_VARIABLES`). --- packages/core/src/services/environmentSanitization.test.ts | 7 ++++--- packages/core/src/services/environmentSanitization.ts | 6 ------ 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/packages/core/src/services/environmentSanitization.test.ts b/packages/core/src/services/environmentSanitization.test.ts index dcf665f88e..cdee3330b9 100644 --- a/packages/core/src/services/environmentSanitization.test.ts +++ b/packages/core/src/services/environmentSanitization.test.ts @@ -370,15 +370,16 @@ describe('getSecureSanitizationConfig', () => { ); }); - it('should filter out variables from allowed list that match NEVER_ALLOWED_NAME_PATTERNS', () => { + it('should not filter out variables from allowed list that match NEVER_ALLOWED_NAME_PATTERNS', () => { const requestedConfig = { - allowedEnvironmentVariables: ['SAFE_VAR', 'MY_SECRET_TOKEN'], + allowedEnvironmentVariables: ['SAFE_VAR', 'MY_SECRET_TOKEN', 'GH_TOKEN'], }; const config = getSecureSanitizationConfig(requestedConfig); expect(config.allowedEnvironmentVariables).toContain('SAFE_VAR'); - expect(config.allowedEnvironmentVariables).not.toContain('MY_SECRET_TOKEN'); + expect(config.allowedEnvironmentVariables).toContain('MY_SECRET_TOKEN'); + expect(config.allowedEnvironmentVariables).toContain('GH_TOKEN'); }); it('should deduplicate variables in allowed and blocked lists', () => { diff --git a/packages/core/src/services/environmentSanitization.ts b/packages/core/src/services/environmentSanitization.ts index 909a3518b1..da116d3a86 100644 --- a/packages/core/src/services/environmentSanitization.ts +++ b/packages/core/src/services/environmentSanitization.ts @@ -214,12 +214,6 @@ export function getSecureSanitizationConfig( if (NEVER_ALLOWED_ENVIRONMENT_VARIABLES.has(upperKey)) { return false; } - // Never allow variables that match sensitive name patterns - for (const pattern of NEVER_ALLOWED_NAME_PATTERNS) { - if (pattern.test(upperKey)) { - return false; - } - } return true; });