fix(cli-proxy): normalize exec exitCode and harden env key filtering

Author: Copilot

containers/cli-proxy/package-lock.json

@@ -40,6 +40,8 @@ const PROTECTED_ENV_KEYS = Object.freeze({
   [Symbol.iterator]() { return _PROTECTED_ENV_KEYS[Symbol.iterator](); },
 });
 
+const UNSAFE_ENV_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
+
 // --- Structured logging to /var/log/cli-proxy/access.jsonl ---
 
 const LOG_DIR = process.env.AWF_CLI_PROXY_LOG_DIR || '/var/log/cli-proxy';
@@ -215,7 +217,12 @@ function buildExecEnv(extraEnv) {
   if (extraEnv && typeof extraEnv === 'object') {
     // Only allow safe string env overrides; never allow overriding keys in PROTECTED_ENV_KEYS.
     for (const [key, value] of Object.entries(extraEnv)) {
-      if (typeof key === 'string' && typeof value === 'string' && !PROTECTED_ENV_KEYS.has(key)) {
+      if (
+        typeof key === 'string'
+        && typeof value === 'string'
+        && !PROTECTED_ENV_KEYS.has(key)
+        && !UNSAFE_ENV_KEYS.has(key)
+      ) {
         childEnv[key] = value;
       }
     }
@@ -236,6 +243,19 @@ function buildExecEnv(extraEnv) {
  * @returns {Promise<{stdout: string, stderr: string, exitCode: number}>}
  */
 async function runGhCommand(args, childEnv, stdin) {
+  const normalizeExitCode = code => {
+    if (typeof code === 'number' && Number.isFinite(code)) {
+      return code;
+    }
+    if (typeof code === 'string') {
+      const parsedCode = Number.parseInt(code, 10);
+      if (!Number.isNaN(parsedCode)) {
+        return parsedCode;
+      }
+    }
+    return 1;
+  };
+
   try {
     return await new Promise((resolve, reject) => {
       const child = execFile('gh', args, {
@@ -253,7 +273,7 @@ async function runGhCommand(args, childEnv, stdin) {
         resolve({
           stdout: childStdout || '',
           stderr: childStderr || '',
-          exitCode: err ? (err.code || 1) : 0,
+          exitCode: err ? normalizeExitCode(err.code) : 0,
         });
       });
 

containers/cli-proxy/server.js

@@ -238,10 +238,14 @@ describe('buildExecEnv', () => {
     expect(env.GIT_SSL_CAINFO).toBe('/certs/git.crt');
   });
 
-  it('should silently skip non-string keys', () => {
-    // Object.entries coerces, but we guard typeof key === 'string'
-    const env = buildExecEnv({ MY_VAR: 'ok' });
+  it('should ignore dangerous prototype keys from JSON payloads', () => {
+    const extraEnv = JSON.parse('{"__proto__":"polluted","constructor":"polluted","prototype":"polluted","MY_VAR":"ok"}');
+    const env = buildExecEnv(extraEnv);
     expect(env.MY_VAR).toBe('ok');
+    expect(env.__proto__).toBe(Object.prototype);
+    expect(env.constructor).toBe(Object);
+    expect(env.prototype).toBeUndefined();
+    expect({}.polluted).toBeUndefined();
   });
 
   it('should silently skip non-string values', () => {
@@ -286,9 +290,8 @@ describe('runGhCommand', () => {
     process.env.PATH = '';
     try {
       const result = await runGhCommand(['--version'], process.env, null);
-      // When the binary is not found, exitCode is the ENOENT error code (truthy, non-zero)
-      expect(result.exitCode).toBeTruthy();
-      expect(result.exitCode).not.toBe(0);
+      expect(typeof result.exitCode).toBe('number');
+      expect(result.exitCode).toBe(1);
     } finally {
       process.env.PATH = savedPath;
     }