fix(desktop): use allowlist for terminal env filtering to prevent secret leakage

[andreasasprou]

Summary

• Use allowlist approach to filter terminal environment variables
• Prevents Superset app secrets from leaking while preserving legitimate user env
• User's shell environment always wins over app defaults

Problem

In packaged Electron builds, NODE_ENV=production leaks into spawned terminal sessions. This causes pnpm install to skip devDependencies, breaking developer workflows.

Why / Context

The previous denylist approach had gaps - it blocked some vars but missed actual secrets.

Switched to allowlist because:

• Unknown vars (including secrets) excluded by default - no gaps
• User's VITE_/TURBO_ from their shell won't be stripped (they simply won't be in Electron's process.env)
• More secure by design

Threat Model

Prevent app secrets (DATABASE_URL, API keys from .env) from leaking to terminals. User shell config vars (proxy, tool paths) are intentionally allowed so terminals behave like the user's normal environment.

Note: Allowlisted vars like HTTP_PROXY may contain user-configured credentials - this is by design since users expect their proxy config to work.

What's Allowed (safe infrastructure vars)

Core shell:

• PATH, HOME, USER, SHELL, TERM, TMPDIR
• Locale: LANG, LC_*, TZ

SSH (critical for git):

• SSH_AUTH_SOCK, SSH_AGENT_PID

Proxy configuration:

• HTTP_PROXY, HTTPS_PROXY, NO_PROXY (both cases)
• ALL_PROXY, FTP_PROXY

Language version managers:

• NVM_DIR, NVM_BIN, NVM_INC, NVM_CD_FLAGS, NVM_RC_VERSION
• PYENV_ROOT, PYENV_SHELL, PYENV_VERSION
• RBENV_ROOT, RBENV_SHELL, RBENV_VERSION
• GOPATH, GOROOT, GOBIN
• CARGO_HOME, RUSTUP_HOME
• DENO_DIR, DENO_INSTALL, BUN_INSTALL
• PNPM_HOME, VOLTA_HOME, ASDF_DIR, FNM_DIR, SDKMAN_DIR

Developer tools (paths, not credentials):

• SSL/TLS: SSL_CERT_FILE, SSL_CERT_DIR, NODE_EXTRA_CA_CERTS
• Git: GIT_SSH_COMMAND, GIT_AUTHOR_*, GIT_COMMITTER_*, GIT_EDITOR
• AWS: AWS_PROFILE, AWS_DEFAULT_REGION, AWS_CONFIG_FILE (not credentials)
• Docker/K8s: DOCKER_HOST, DOCKER_CONFIG, KUBECONFIG
• SDKs: JAVA_HOME, ANDROID_HOME, FLUTTER_ROOT, DOTNET_ROOT

System paths:

• HOMEBREW_PREFIX, HOMEBREW_CELLAR, HOMEBREW_REPOSITORY
• XDG directories

Our metadata (prefix):

• SUPERSET_*

What's Excluded (everything else)

By design, anything not in the allowlist is excluded:

• NODE_ENV, NODE_OPTIONS, NODE_PATH - behavior-changing
• DATABASE_URL, CLERK_SECRET_KEY, NEON_API_KEY - secrets
• VITE_*, NEXT_PUBLIC_*, TURBO_* - build-time vars
• GOOGLE_API_KEY, GH_CLIENT_SECRET, SENTRY_AUTH_TOKEN - credentials

Manual QA

• Terminal spawns correctly
• echo $NODE_ENV returns empty
• pnpm install installs devDependencies as expected
• User shell profile env vars are preserved
• SSH authentication works (git push/pull)

Testing

• bun run typecheck ✓
• bun test src/main/lib/terminal/env.test.ts ✓ (65 tests)

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds an allowlist-based environment sanitizer (exports buildSafeEnv and deprecated removeAppEnvVars), changes buildTerminalEnv to derive locale from a sanitized raw env and apply safety filtering before merging shell env, and expands tests for filtering, prefixes, platform behavior, and immutability.

Changes

Cohort / File(s)	Summary
Env implementation apps/desktop/src/main/lib/terminal/env.ts	Adds internal allowlist constants and prefix logic; exports buildSafeEnv(env, options?) and removeAppEnvVars(env) (deprecated wrapper); uses sanitized raw env to derive locale, then applies buildSafeEnv before merging shell env; removes explicit GOOGLE_API_KEY deletion.
Env tests apps/desktop/src/main/lib/terminal/env.test.ts	Adds comprehensive tests for buildSafeEnv and removeAppEnvVars: allowlist and prefix filtering (including SUPERSET_*), secrets/build-time var exclusion, Windows case-insensitive handling, immutability of inputs, empty-result cases, and expanded buildTerminalEnv metadata assertions; adds per-test env setup/teardown.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant App as Desktop App (main)
    participant Proc as process.env (raw)
    participant Sanitizer as buildSafeEnv
    participant Shell as shellEnv (user)
    participant Terminal as Spawned Terminal

    App->>Proc: read sanitized raw process.env
    Proc->>Sanitizer: provide raw env for locale detection & filtering
    Sanitizer-->>App: return allowed/sanitized base env
    Shell-->>App: provide shellEnv overrides
    App->>Terminal: merge(sanitized base env, shellEnv) -> final terminal env
    Note right of Terminal: Locale derived from raw/sanitized process.env\nSanitization applied before merge

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• fix(desktop): restore SUPERSET_ROOT_PATH and related env vars to terminal #311 — touches terminal SUPERSET_* metadata handling and passing workspaceName/workspacePath/rootPath into terminal sessions.

Poem

🐇 I hop through envs with whiskered cheer,

I guard the secrets and make lines clear,
Prefixes pruned and allowlists kept tight,
A tidy shell for morning and night—🥕

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main security improvement—switching from a denylist to an allowlist approach to prevent secret leakage in terminal environment variables.
Description check	✅ Passed	The PR description is comprehensive and well-structured, covering summary, problem statement, threat model, allowlist details, manual QA, and testing results.

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

apps/desktop/src/main/lib/terminal/env.ts (1)

66-180: Excellent allowlist approach with comprehensive coverage.

The allowlist strategy is security-sound: unknown variables (including secrets) are excluded by default. The included categories cover the essential shell infrastructure, language tooling, and user preferences.

Optional: Consider adding a few more user-environment variables

If users report missing functionality, consider adding these to the allowlist:

 	"EDITOR",
 	"VISUAL",
 	"PAGER",
+	"MANPATH",        // Custom man page paths
+	"PKG_CONFIG_PATH", // Custom pkg-config paths
+	"INFOPATH",       // Custom info paths
+	"GPG_TTY",        // GPG terminal (needed for commit signing)

Note: Deliberately omitting LD_LIBRARY_PATH / DYLD_LIBRARY_PATH is reasonable—they can introduce security and stability risks if Electron's library paths leak to user shells.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f40e58b and a26d9b6.

📒 Files selected for processing (2)

• apps/desktop/src/main/lib/terminal/env.test.ts
• apps/desktop/src/main/lib/terminal/env.ts

🧰 Additional context used

📓 Path-based instructions (5)

apps/desktop/**/*.{ts,tsx}

📄 CodeRabbit inference engine (apps/desktop/AGENTS.md)

apps/desktop/**/*.{ts,tsx}: For Electron interprocess communication, ALWAYS use tRPC as defined in src/lib/trpc
Use alias as defined in tsconfig.json when possible
Prefer zustand for state management if it makes sense. Do not use effect unless absolutely necessary.
For tRPC subscriptions with trpc-electron, ALWAYS use the observable pattern from @trpc/server/observable instead of async generators, as the library explicitly checks isObservable(result) and throws an error otherwise

Files:

• apps/desktop/src/main/lib/terminal/env.test.ts
• apps/desktop/src/main/lib/terminal/env.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx}: Use object parameters for functions with 2+ parameters instead of positional arguments
Functions with 2+ parameters should accept a single params object with named properties for self-documentation and extensibility
Use prefixed console logging with context pattern: [domain/operation] message
Extract magic numbers and hardcoded values to named constants at module top
Use lookup objects/maps instead of repeated if (type === ...) conditionals
Avoid using any type - maintain type safety in TypeScript code
Never swallow errors silently - at minimum log them with context
Import from concrete files directly when possible - avoid barrel file abuse that creates circular dependencies
Avoid deep nesting (4+ levels) - use early returns, extract functions, and invert conditions
Use named properties in options objects instead of boolean parameters to avoid boolean blindness

Files:

• apps/desktop/src/main/lib/terminal/env.test.ts
• apps/desktop/src/main/lib/terminal/env.ts

**/*.test.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Co-locate tests with implementation files using .test.ts or .test.tsx suffix

Files:

• apps/desktop/src/main/lib/terminal/env.test.ts

apps/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Use Drizzle ORM for all database operations - never use raw SQL

Files:

• apps/desktop/src/main/lib/terminal/env.test.ts
• apps/desktop/src/main/lib/terminal/env.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

Use Biome for formatting and linting - run at root level with bun run lint:fix or biome check --write

Files:

• apps/desktop/src/main/lib/terminal/env.test.ts
• apps/desktop/src/main/lib/terminal/env.ts

🧠 Learnings (4)

📓 Common learnings

Learnt from: CR
Repo: superset-sh/superset PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-02T06:50:28.662Z
Learning: Applies to apps/desktop/src/main/index.ts : Load environment variables from monorepo root .env in desktop app with override: true before any imports in src/main/index.ts and electron.vite.config.ts

📚 Learning: 2026-01-02T06:50:28.662Z

Learnt from: CR
Repo: superset-sh/superset PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-02T06:50:28.662Z
Learning: Applies to apps/desktop/src/main/index.ts : Load environment variables from monorepo root .env in desktop app with override: true before any imports in src/main/index.ts and electron.vite.config.ts

Applied to files:

• apps/desktop/src/main/lib/terminal/env.test.ts
• apps/desktop/src/main/lib/terminal/env.ts

📚 Learning: 2026-01-02T06:50:28.662Z

Learnt from: CR
Repo: superset-sh/superset PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-02T06:50:28.662Z
Learning: Applies to apps/desktop/src/lib/electron-router-dom.ts : Do not import Node.js modules like node:path or dotenv in electron-router-dom.ts and similar shared files - they run in both main and renderer processes

Applied to files:

• apps/desktop/src/main/lib/terminal/env.test.ts

📚 Learning: 2026-01-02T06:50:28.662Z

Learnt from: CR
Repo: superset-sh/superset PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-02T06:50:28.662Z
Learning: Applies to apps/desktop/src/renderer/**/*.{ts,tsx} : Never import Node.js modules (fs, path, os, net) in renderer process or shared code - they are externalized for browser compatibility

Applied to files:

• apps/desktop/src/main/lib/terminal/env.test.ts

🧬 Code graph analysis (2)

apps/desktop/src/main/lib/terminal/env.test.ts (1)

apps/desktop/src/main/lib/terminal/env.ts (3)

• buildSafeEnv (191-210)
• removeAppEnvVars (215-219)
• buildTerminalEnv (221-267)

apps/desktop/src/main/lib/terminal/env.ts (1)

apps/desktop/src/main/lib/agent-setup/index.ts (1)

• getShellEnv (59-59)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build

🔇 Additional comments (7)

apps/desktop/src/main/lib/terminal/env.ts (3)

191-210: Clean and correct allowlist filtering implementation.

The logic properly checks exact matches before prefix matches, preserves immutability, and handles the filtering correctly.

---

215-219: Good backward compatibility strategy.

The deprecated wrapper cleanly delegates to the new implementation while giving consumers time to migrate.

---

240-248: Correct integration of allowlist filtering.

The use of rawBaseEnv for locale detection is appropriately defensive—it ensures getLocale has access to all locale-related variables before the allowlist filter is applied. The subsequent filtering via buildSafeEnv correctly prevents Electron's internal variables from leaking to user terminals.

apps/desktop/src/main/lib/terminal/env.test.ts (4)

107-384: Exceptionally thorough test coverage for buildSafeEnv.

The test suite systematically validates:

• Exclusion of dangerous runtime vars (NODE_ENV, NODE_OPTIONS, etc.)
• Exclusion of secrets (API keys, tokens, DB URLs)
• Exclusion of build-time vars (VITE_, NEXT_PUBLIC_, TURBO_*)
• Inclusion of all allowlisted categories (shell, SSH, language managers, proxies, locale, etc.)
• Prefix-based filtering (SUPERSET_, LC_)
• Non-mutation guarantee
• Edge cases (empty input)

This comprehensive coverage significantly reduces the risk of regressions.

---

386-393: Adequate coverage for the deprecated wrapper.

The test confirms correct delegation to buildSafeEnv, which is sufficient given the wrapper's simplicity and the comprehensive tests for the underlying function.

---

403-433: Excellent test hygiene with environment state restoration.

The beforeEach / afterEach hooks properly save and restore environment variables, preventing test pollution. This is especially important for tests that modify process.env directly.

---

435-529: Comprehensive tests for buildTerminalEnv behavior.

The tests thoroughly validate:

• Non-allowlisted variables from Electron's process.env are excluded from terminal sessions
• Terminal metadata (TERM_PROGRAM, COLORTERM) is correctly set
• Superset-specific environment variables are properly injected
• Optional parameters are handled gracefully (both present and absent)
• LANG is set to a UTF-8 locale

This ensures the allowlist filtering integrates correctly with terminal environment construction.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

apps/desktop/src/main/lib/terminal/env.ts (1)

38-47: Consider adding error logging for locale detection failures.

While the fallback behavior is appropriate, the coding guidelines suggest never swallowing errors silently. Consider adding a console log with context when locale detection fails.

🔎 Optional improvement

 	try {
 		const result = execSync("locale 2>/dev/null | grep LANG= | cut -d= -f2", {
 			encoding: "utf-8",
 			timeout: 1000,
 		}).trim();
 		if (result?.includes("UTF-8")) {
 			return result;
 		}
-	} catch {
-		// Ignore - will use fallback
+	} catch (error) {
+		console.warn("[terminal/env] Locale detection failed, using fallback:", error);
 	}

Based on coding guidelines.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1dfc25d and 8039c9c.

📒 Files selected for processing (1)

• apps/desktop/src/main/lib/terminal/env.ts

🧰 Additional context used

📓 Path-based instructions (4)

apps/desktop/**/*.{ts,tsx}

📄 CodeRabbit inference engine (apps/desktop/AGENTS.md)

apps/desktop/**/*.{ts,tsx}: For Electron interprocess communication, ALWAYS use tRPC as defined in src/lib/trpc
Use alias as defined in tsconfig.json when possible
Prefer zustand for state management if it makes sense. Do not use effect unless absolutely necessary.
For tRPC subscriptions with trpc-electron, ALWAYS use the observable pattern from @trpc/server/observable instead of async generators, as the library explicitly checks isObservable(result) and throws an error otherwise

Files:

• apps/desktop/src/main/lib/terminal/env.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx}: Use object parameters for functions with 2+ parameters instead of positional arguments
Functions with 2+ parameters should accept a single params object with named properties for self-documentation and extensibility
Use prefixed console logging with context pattern: [domain/operation] message
Extract magic numbers and hardcoded values to named constants at module top
Use lookup objects/maps instead of repeated if (type === ...) conditionals
Avoid using any type - maintain type safety in TypeScript code
Never swallow errors silently - at minimum log them with context
Import from concrete files directly when possible - avoid barrel file abuse that creates circular dependencies
Avoid deep nesting (4+ levels) - use early returns, extract functions, and invert conditions
Use named properties in options objects instead of boolean parameters to avoid boolean blindness

Files:

• apps/desktop/src/main/lib/terminal/env.ts

apps/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Use Drizzle ORM for all database operations - never use raw SQL

Files:

• apps/desktop/src/main/lib/terminal/env.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

Use Biome for formatting and linting - run at root level with bun run lint:fix or biome check --write

Files:

• apps/desktop/src/main/lib/terminal/env.ts

🧠 Learnings (2)

📓 Common learnings

Learnt from: CR
Repo: superset-sh/superset PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-02T06:50:28.662Z
Learning: Applies to apps/desktop/src/main/index.ts : Load environment variables from monorepo root .env in desktop app with override: true before any imports in src/main/index.ts and electron.vite.config.ts

📚 Learning: 2026-01-02T06:50:28.662Z

Learnt from: CR
Repo: superset-sh/superset PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-02T06:50:28.662Z
Learning: Applies to apps/desktop/src/main/index.ts : Load environment variables from monorepo root .env in desktop app with override: true before any imports in src/main/index.ts and electron.vite.config.ts

Applied to files:

• apps/desktop/src/main/lib/terminal/env.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build

🔇 Additional comments (5)

apps/desktop/src/main/lib/terminal/env.ts (5)

66-227: Excellent allowlist design with strong security boundaries.

The allowlist is comprehensive and well-documented. The categorization is clear, and the security model correctly excludes app secrets (NODE_ENV, DATABASE_URL, API keys) while including essential infrastructure variables (PATH, HOME, SSH_AUTH_SOCK) and user configuration (proxy settings, language managers). The Windows case-insensitivity documentation is particularly helpful.

---

238-260: LGTM: Windows case-insensitivity correctly implemented.

The helper functions properly handle Windows' case-insensitive environment variables by converting keys to uppercase for matching while preserving original casing in the output. The logic is sound and well-documented.

---

262-303: LGTM: Clean implementation with excellent documentation.

The function correctly implements the allowlist filtering with proper documentation of the threat model. The optional platform parameter is a good design choice for testability, and the implementation preserves immutability.

---

305-312: LGTM: Good deprecation pattern.

The backward-compatible wrapper is well-documented and provides a clear migration path for existing code.

---

333-341: Clarify the use of rawBaseEnv for locale derivation.

Line 341 uses rawBaseEnv to derive the locale, but getLocale only reads LANG and LC_ALL, both of which are in the allowlist and would be present in baseEnv. Using baseEnv instead would be more consistent with the security model and make the code clearer. Is there a specific reason for using the unsanitized environment here?

If this was unintentional, consider this change:

🔎 Proposed simplification

 	const rawBaseEnv = sanitizeEnv(process.env) || {};
 	const baseEnv = buildSafeEnv(rawBaseEnv);
 
 	const shellEnv = getShellEnv(shell);
-	const locale = getLocale(rawBaseEnv);
+	const locale = getLocale(baseEnv);