Add security filtering to environment variables endpoint

[jbingham17]

Summary

• Implements an allowlist of safe environment variables that can be exposed (PATH, HOME, USER, SHELL, etc.)
• Adds sensitive pattern detection to redact variables containing keywords like KEY, SECRET, TOKEN, PASSWORD
• Filters out any variables not explicitly in the allowlist
• Allows LC_* and XDG_* prefixed variables for locale/desktop settings

This addresses the security concern of the /api/environment endpoint previously exposing all environment variables without filtering.

Test plan

• Verify only allowlisted variables are returned
• Verify sensitive patterns are properly redacted
• Test with various environment variable configurations

🤖 Generated with Claude Code

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Bug Fixes
  • The environment variables endpoint now filters exposed variables to a safe set and redacts sensitive values for security purposes.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Walkthrough

The /api/environment endpoint in server/index.ts is refactored to filter and sanitize environment variables. It now exposes only explicitly safe variables and those matching specific patterns (LC_, XDG_), while redacting sensitive variable values based on pattern matching.

Changes

Cohort / File(s)	Summary
Environment endpoint redaction server/index.ts	Modified /api/environment endpoint to define safe variables, filter based on naming patterns (LC_, XDG_), introduce sensitive pattern detection with redaction logic, and return structured { name, value } objects where sensitive values are replaced with "[REDACTED]".

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• coderabbit-demo/btop#1: Initial implementation of the /api/environment endpoint that this PR modifies to add filtering and redaction functionality.

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly summarizes the main change: adding security filtering to the environment variables endpoint.
Description check	✅ Passed	The description is directly related to the changeset, providing clear details about the security filtering implementation including allowlist approach and sensitive pattern redaction.

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Fix all issues with AI Agents 🤖

In @server/index.ts:
- Around line 301-304: The detection is case-sensitive: update the
sensitivePatterns handling in isSensitive to perform case-insensitive matching
(e.g., normalize candidate names with .toLowerCase() and store patterns in
lowercase or compile case-insensitive regexes) so keys like "api_key", "secret",
"password", and "auth_token" are detected; adjust the sensitivePatterns array to
lowercase tokens
("key","secret","token","password","credential","auth","private","api_key","access_key")
and change the includes() check to compare against the lowercased variable name
within the isSensitive function.
- Around line 310-315: The envVars construction reveals the names of sensitive
environment variables because it includes keys that start with "LC_" or "XDG_"
even when values are redacted; update the filter so envVars only includes truly
non-sensitive variables by removing the key-starts-with check and only allowing
keys present in safeVariables (or add an explicit isSensitive(name) check in the
.filter to exclude sensitive names), keeping the .map redaction logic
(isSensitive) unchanged; refer to envVars, safeVariables, and isSensitive to
locate and modify the filtering logic accordingly.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ff122a3 and 5718c95.

📒 Files selected for processing (1)

• server/index.ts

🔇 Additional comments (3)

server/index.ts (3)

291-292: Clear documentation of security intent.

The comments effectively communicate the purpose and security rationale for the filtering.

---

294-299: Well-chosen allowlist of safe variables.

The selection appropriately covers common system, shell, and development environment variables that are safe for diagnostic purposes.

---

317-322: LGTM!

The response construction correctly serializes the filtered variables and sets appropriate headers.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Case-sensitive matching misses lowercase sensitive variables.

The sensitivePatterns array contains uppercase strings, but the matching in isSensitive uses case-sensitive includes(). Variables like api_key, secret, password, or auth_token would bypass detection and have their values exposed.

🔎 Proposed fix to use case-insensitive matching

-      const isSensitive = (name: string): boolean => {
-        return sensitivePatterns.some(pattern => name.includes(pattern));
-      };
+      const isSensitive = (name: string): boolean => {
+        const upperName = name.toUpperCase();
+        return sensitivePatterns.some(pattern => upperName.includes(pattern));
+      };

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In @server/index.ts around lines 301-304, The detection is case-sensitive:
update the sensitivePatterns handling in isSensitive to perform case-insensitive
matching (e.g., normalize candidate names with .toLowerCase() and store patterns
in lowercase or compile case-insensitive regexes) so keys like "api_key",
"secret", "password", and "auth_token" are detected; adjust the
sensitivePatterns array to lowercase tokens
("key","secret","token","password","credential","auth","private","api_key","access_key")
and change the includes() check to compare against the lowercased variable name
within the isSensitive function.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# Get the actual code context around lines 310-315
head -320 server/index.ts | tail -30

Repository: coderabbit-demo/btop

Length of output: 1230

---

🏁 Script executed:

# Check for the isSensitive function definition
rg -n "isSensitive" --type=ts --type=js

Repository: coderabbit-demo/btop

Length of output: 224

---

🏁 Script executed:

# Search for tests or documentation about environment variable filtering
rg -n -C3 "envVars|REDACTED|environment.*filter|safeVariables" --type=ts --type=js

Repository: coderabbit-demo/btop

Length of output: 2813

---

🏁 Script executed:

# Look for security guidelines or comments about this behavior
rg -n -C5 "LC_|XDG_|sensitive.*variable|expose.*variable" --type=ts --type=js

Repository: coderabbit-demo/btop

Length of output: 1616

---

Filter out environment variables with sensitive names, not just redact their values.

The code comment states "Only expose safe, non-sensitive variables," but the current implementation exposes variable names that match sensitive patterns (e.g., LC_API_TOKEN or XDG_SECRET_KEY) when they start with those prefixes, even though their values are redacted. This is an information disclosure issue—revealing that a sensitive variable exists contradicts the stated intent.

Either exclude sensitive variables entirely from the response or adjust the intent comment to clarify that only values are redacted.

🤖 Prompt for AI Agents

In @server/index.ts around lines 310-315, The envVars construction reveals the
names of sensitive environment variables because it includes keys that start
with "LC_" or "XDG_" even when values are redacted; update the filter so envVars
only includes truly non-sensitive variables by removing the key-starts-with
check and only allowing keys present in safeVariables (or add an explicit
isSensitive(name) check in the .filter to exclude sensitive names), keeping the
.map redaction logic (isSensitive) unchanged; refer to envVars, safeVariables,
and isSensitive to locate and modify the filtering logic accordingly.