Skip to content

security: strip OPEN_TERMINAL_* from subprocess env#128

Open
mazzz1y wants to merge 1 commit into
open-webui:mainfrom
mazzz1y:security/sanitize-subprocess-env
Open

security: strip OPEN_TERMINAL_* from subprocess env#128
mazzz1y wants to merge 1 commit into
open-webui:mainfrom
mazzz1y:security/sanitize-subprocess-env

Conversation

@mazzz1y

@mazzz1y mazzz1y commented May 19, 2026

Copy link
Copy Markdown

User-spawned shells and commands inherited the full parent environment, including OPEN_TERMINAL_API_KEY. A user running env | grep OPEN_TERMINAL_ inside an /execute command or /api/terminals session could read internal configuration meant only for the server process.

This is the minimal, conservative fix:

  • OPEN_TERMINAL_* keys are stripped. Other variables such as PATH, HOME, USER, SHELL, TERM, LANG, etc pass through unchanged, so user shells continue to feel normal.
  • Caller-supplied env in POST /execute still wins on collision — authenticated callers can explicitly re-add any variable.

Tested in my environment — REST API with OpenWebUI

Another option was introducing a prefix convention to fully separate server variables from sandbox variables — e.g. SANDBOX_API_KEY on the server side becomes API_KEY inside the user's shell. This would give stronger isolation but is likely a breaking change: operators currently set env vars in their Dockerfile / compose / launch scripts and expect them to pass through to user commands. For that reason I did not choose this approach.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant