Add env confinement: allowed-env reference + guard check

soc1024 · claude · soc1024 · commit 05480a36154c · 2026-02-13T16:29:13.000-05:00
Baseline of 95 env vars captured from a clean ubuntu-24.04 runner
(image 20260209.23.1, runner 2.331.0). The guard step rejects the
job if any unexpected vars are present — defends against LD_PRELOAD,
NODE_OPTIONS, BASH_ENV, etc. injection without relying on a blocklist.

Inspired by dstack's allowed_envs model.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/allowed-env-reference.txt b/.github/allowed-env-reference.txt
@@ -0,0 +1,128 @@
+# Allowed environment variables for GitHub Actions ubuntu-latest runner
+# Captured 2026-02-13 from ubuntu-24.04 image version 20260209.23.1
+# Runner version: 2.331.0
+#
+# Any env var NOT in this list (or the workflow's ALLOWED_EXTRA) should
+# cause the job to abort immediately. This defends against env injection
+# attacks (LD_PRELOAD, NODE_OPTIONS, BASH_ENV, etc.) that can hijack
+# execution without changing the workflow YAML.
+#
+# See: https://www.elttam.com/blog/env/
+# See: https://www.synacktiv.com/en/publications/github-actions-exploitation-repo-jacking-and-environment-manipulation
+
+# System/OS
+_
+HOME
+INVOCATION_ID
+JOURNAL_STREAM
+LANG
+LOGNAME
+MEMORY_PRESSURE_WATCH
+MEMORY_PRESSURE_WRITE
+PATH
+PWD
+SHELL
+SHLVL
+SYSTEMD_EXEC_PID
+USER
+XDG_CONFIG_HOME
+XDG_RUNTIME_DIR
+
+# GitHub Actions runner
+ACTIONS_ORCHESTRATION_ID
+ACTIONS_RUNNER_ACTION_ARCHIVE_CACHE
+CI
+ENABLE_RUNNER_TRACING
+GITHUB_ACTION
+GITHUB_ACTION_REF
+GITHUB_ACTION_REPOSITORY
+GITHUB_ACTIONS
+GITHUB_ACTOR
+GITHUB_ACTOR_ID
+GITHUB_API_URL
+GITHUB_BASE_REF
+GITHUB_ENV
+GITHUB_EVENT_NAME
+GITHUB_EVENT_PATH
+GITHUB_GRAPHQL_URL
+GITHUB_HEAD_REF
+GITHUB_JOB
+GITHUB_OUTPUT
+GITHUB_PATH
+GITHUB_REF
+GITHUB_REF_NAME
+GITHUB_REF_PROTECTED
+GITHUB_REF_TYPE
+GITHUB_REPOSITORY
+GITHUB_REPOSITORY_ID
+GITHUB_REPOSITORY_OWNER
+GITHUB_REPOSITORY_OWNER_ID
+GITHUB_RETENTION_DAYS
+GITHUB_RUN_ATTEMPT
+GITHUB_RUN_ID
+GITHUB_RUN_NUMBER
+GITHUB_SERVER_URL
+GITHUB_SHA
+GITHUB_STATE
+GITHUB_STEP_SUMMARY
+GITHUB_TRIGGERING_ACTOR
+GITHUB_WORKFLOW
+GITHUB_WORKFLOW_REF
+GITHUB_WORKFLOW_SHA
+GITHUB_WORKSPACE
+RUNNER_ARCH
+RUNNER_ENVIRONMENT
+RUNNER_NAME
+RUNNER_OS
+RUNNER_TEMP
+RUNNER_TOOL_CACHE
+RUNNER_TRACKING_ID
+RUNNER_WORKSPACE
+
+# Runner image: toolchains and SDKs
+ACCEPT_EULA
+AGENT_TOOLSDIRECTORY
+ANDROID_HOME
+ANDROID_NDK
+ANDROID_NDK_HOME
+ANDROID_NDK_LATEST_HOME
+ANDROID_NDK_ROOT
+ANDROID_SDK_ROOT
+ANT_HOME
+AZURE_EXTENSION_DIR
+BOOTSTRAP_HASKELL_NONINTERACTIVE
+CHROME_BIN
+CHROMEWEBDRIVER
+CONDA
+DEBIAN_FRONTEND
+DOTNET_MULTILEVEL_LOOKUP
+DOTNET_NOLOGO
+DOTNET_SKIP_FIRST_TIME_EXPERIENCE
+EDGEWEBDRIVER
+GECKOWEBDRIVER
+GHCUP_INSTALL_BASE_PREFIX
+GOROOT_1_22_X64
+GOROOT_1_23_X64
+GOROOT_1_24_X64
+GOROOT_1_25_X64
+GRADLE_HOME
+HOMEBREW_CLEANUP_PERIODIC_FULL_DAYS
+HOMEBREW_NO_AUTO_UPDATE
+ImageOS
+ImageVersion
+JAVA_HOME
+JAVA_HOME_11_X64
+JAVA_HOME_17_X64
+JAVA_HOME_21_X64
+JAVA_HOME_25_X64
+JAVA_HOME_8_X64
+NVM_DIR
+PIPX_BIN_DIR
+PIPX_HOME
+POWERSHELL_DISTRIBUTION_CHANNEL
+PSModulePath
+SELENIUM_JAR_PATH
+SGX_AESM_ADDR
+SWIFT_PATH
+USE_BAZEL_FALLBACK_VERSION
+VCPKG_INSTALLATION_ROOT
diff --git a/.github/workflows/dump-env.yml b/.github/workflows/dump-env.yml
@@ -2,11 +2,43 @@ name: Dump Runner Environment
 on: workflow_dispatch
 
 jobs:
-  dump-env:
+  dump-clean:
+    name: Clean runner baseline
     runs-on: ubuntu-latest
     steps:
       - name: Env var names (sorted)
         run: env | cut -d= -f1 | sort
-
       - name: Full env dump
         run: env | sort
+
+  test-guard:
+    name: Test env confinement guard
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Environment confinement check
+        run: |
+          REF=".github/allowed-env-reference.txt"
+
+          # Strip comments and blank lines from reference
+          grep -v '^#' "$REF" | grep -v '^$' | sort -u > /tmp/allowed.txt
+
+          # Current env var names
+          env | cut -d= -f1 | sort -u > /tmp/current.txt
+
+          # Anything present that's not in the allowed list?
+          UNEXPECTED=$(comm -23 /tmp/current.txt /tmp/allowed.txt || true)
+
+          if [ -n "$UNEXPECTED" ]; then
+            echo "::error::Unexpected environment variables detected!"
+            echo "The following vars are NOT in .github/allowed-env-reference.txt:"
+            echo "$UNEXPECTED"
+            echo ""
+            echo "This could indicate env injection (LD_PRELOAD, NODE_OPTIONS, etc)."
+            echo "If these are legitimate, add them to allowed-env-reference.txt."
+            exit 1
+          fi
+
+          echo "Environment confinement check passed."
+          echo "$(wc -l < /tmp/current.txt) vars present, all in allowed list."
