fix(docker): add explicit env allowlist for container credentials (#1436)

Docker terminal sessions are secret-dark by default. This adds terminal.docker_forward_env as an explicit allowlist for env vars that may be forwarded into Docker containers. Values resolve from the current shell first, then fall back to ~/.hermes/.env. Only variables the user explicitly lists are forwarded — nothing is auto-exposed. Cherry-picked from PR #1449 by @teknium1, conflict-resolved onto current main. Fixes #1436 Supersedes #1439
2026-04-25 00:51:20 +00:00 · 2026-03-17 02:34:25 -07:00 · 2026-03-17 02:34:25 -07:00 · 556e0f4b43
commit 556e0f4b43
parent d50e0711c2
12 changed files with 170 additions and 2 deletions
--- a/tools/environments/docker.py
+++ b/tools/environments/docker.py
@ -7,6 +7,7 @@ persistence via bind mounts.

 import logging
 import os
+import re
 import shutil
 import subprocess
 import sys
@ -30,6 +31,42 @@ _DOCKER_SEARCH_PATHS = [
 ]

 _docker_executable: Optional[str] = None  # resolved once, cached
+_ENV_VAR_NAME_RE = re.compile(r"^[A-Za-z_][A-Za-z0-9_]*$")
+
+
+def _normalize_forward_env_names(forward_env: list[str] | None) -> list[str]:
+    """Return a deduplicated list of valid environment variable names."""
+    normalized: list[str] = []
+    seen: set[str] = set()
+
+    for item in forward_env or []:
+        if not isinstance(item, str):
+            logger.warning("Ignoring non-string docker_forward_env entry: %r", item)
+            continue
+
+        key = item.strip()
+        if not key:
+            continue
+        if not _ENV_VAR_NAME_RE.match(key):
+            logger.warning("Ignoring invalid docker_forward_env entry: %r", item)
+            continue
+        if key in seen:
+            continue
+
+        seen.add(key)
+        normalized.append(key)
+
+    return normalized
+
+
+def _load_hermes_env_vars() -> dict[str, str]:
+    """Load ~/.hermes/.env values without failing Docker command execution."""
+    try:
+        from hermes_cli.config import load_env
+
+        return load_env() or {}
+    except Exception:
+        return {}


 def find_docker() -> Optional[str]:
@ -171,6 +208,7 @@ class DockerEnvironment(BaseEnvironment):
        persistent_filesystem: bool = False,
        task_id: str = "default",
        volumes: list = None,
+        forward_env: list[str] | None = None,
        network: bool = True,
        host_cwd: str = None,
        auto_mount_cwd: bool = False,
@ -181,6 +219,7 @@ class DockerEnvironment(BaseEnvironment):
        self._base_image = image
        self._persistent = persistent_filesystem
        self._task_id = task_id
+        self._forward_env = _normalize_forward_env_names(forward_env)
        self._container_id: Optional[str] = None
        logger.info(f"DockerEnvironment volumes: {volumes}")
        # Ensure volumes is a list (config.yaml could be malformed)
@ -355,8 +394,12 @@ class DockerEnvironment(BaseEnvironment):
        if effective_stdin is not None:
            cmd.append("-i")
        cmd.extend(["-w", work_dir])
-        for key in self._inner.config.forward_env:
-            if (value := os.getenv(key)) is not None:
+        hermes_env = _load_hermes_env_vars() if self._forward_env else {}
+        for key in self._forward_env:
+            value = os.getenv(key)
+            if value is None:
+                value = hermes_env.get(key)
+            if value is not None:
                cmd.extend(["-e", f"{key}={value}"])
        for key, value in self._inner.config.env.items():
            cmd.extend(["-e", f"{key}={value}"])