fix: strip credential env vars from child-process environment on Windows#9991
Open
mmaietta wants to merge 1 commit into
Open
fix: strip credential env vars from child-process environment on Windows#9991mmaietta wants to merge 1 commit into
mmaietta wants to merge 1 commit into
Conversation
…nt on Windows (F1) getProcessEnv previously returned the Windows environment unchanged, so every child process (signtool, makeappx, package managers) inherited credential vars such as CSC_KEY_PASSWORD, WIN_CSC_KEY_PASSWORD, and publish tokens. It now applies the same credential deny-list (stripSensitiveEnvVars) on Windows that the other platforms already use, for both the explicit-env and inherited-env cases. Signing tools receive the certificate password as an explicit CLI argument, not via the environment, and the deny-list is verified not to drop required Windows system vars (PATH, SYSTEMROOT, TEMP, etc.), so signing and tool launches are unaffected. Adds stripSensitiveEnvVars unit tests covering secret removal, system-var preservation, and prototype-pollution safety. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
🦋 Changeset detectedLatest commit: 1ea11fd The changes in this PR will be included in the next version bump. This PR includes changesets to release 10 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
erikian
reviewed
Jun 28, 2026
| // (PATH, SYSTEMROOT, TEMP, etc.). | ||
| if (process.platform === "win32") { | ||
| return env == null ? undefined : env | ||
| return stripSensitiveEnvVars(env == null ? process.env : env) |
Member
There was a problem hiding this comment.
question: on non-Windows platforms, stripSensitiveEnvVars is not called when a explicit env is present, is the different behavior on Windows expected or is the non-Windows code just incorrect?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
getProcessEnvpreviously returned the Windows environment unchanged, so every spawned tool (signtool, makeappx, package managers) inherited credential vars such asCSC_KEY_PASSWORD,WIN_CSC_KEY_PASSWORD, and publish tokens. It now applies the same credential deny-list (stripSensitiveEnvVars) on Windows that the other platforms already use, for both the explicit-env and inherited-env paths. Required Windows system vars (PATH,SYSTEMROOT,TEMP, etc.) are preserved, and signing tools already receive the certificate password as an explicit CLI argument rather than via the environment, so signing is unaffected.