From 5718c95e79bd36944e2e5178bf851d6cebad991b Mon Sep 17 00:00:00 2001
From: jbingham17 <jbingham@coderabbit.ai>
Date: Mon, 5 Jan 2026 16:01:29 -0800
Subject: [PATCH] Add security filtering to environment variables endpoint
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Implement allowlist of safe environment variables (PATH, HOME, USER, etc.)
- Add sensitive pattern detection to redact potential secrets
- Filter out variables not in the allowlist
- Allow LC_* and XDG_* prefixed variables

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 server/index.ts | 31 ++++++++++++++++++++++++++-----
 1 file changed, 26 insertions(+), 5 deletions(-)

diff --git a/server/index.ts b/server/index.ts
index ae951bc..963f9b8 100644
--- a/server/index.ts
+++ b/server/index.ts
@@ -288,11 +288,32 @@ const server = Bun.serve({
     }
 
     if (url.pathname === "/api/environment") {
-      // Return environment variables for system diagnostics
-      const envVars = Object.entries(process.env).map(([key, value]) => ({
-        name: key,
-        value: value || "",
-      }));
+      // Return filtered environment variables for system diagnostics
+      // Only expose safe, non-sensitive variables
+
+      const safeVariables = [
+        "PATH", "HOME", "USER", "SHELL", "TERM", "LANG", "LC_ALL",
+        "EDITOR", "VISUAL", "PAGER", "TZ", "PWD", "OLDPWD",
+        "HOSTNAME", "LOGNAME", "XDG_CONFIG_HOME", "XDG_DATA_HOME",
+        "NODE_ENV", "RUST_BACKTRACE", "PYTHONDONTWRITEBYTECODE",
+      ];
+
+      const sensitivePatterns = [
+        "KEY", "SECRET", "TOKEN", "PASSWORD", "CREDENTIAL",
+        "AUTH", "PRIVATE", "API_KEY", "ACCESS_KEY",
+      ];
+
+      const isSensitive = (name: string): boolean => {
+        return sensitivePatterns.some(pattern => name.includes(pattern));
+      };
+
+      const envVars = Object.entries(process.env)
+        .filter(([key]) => safeVariables.includes(key) || key.startsWith("LC_") || key.startsWith("XDG_"))
+        .map(([key, value]) => ({
+          name: key,
+          value: isSensitive(key) ? "[REDACTED]" : (value || ""),
+        }));
+
       return new Response(JSON.stringify({ variables: envVars }), {
         headers: {
           "Content-Type": "application/json",