lywsvip/sandbox-runtime
1
0
Fork 0
mirror of https://github.com/anthropic-experimental/sandbox-runtime.git synced 2026-05-06 21:52:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix environment variable quoting for sandbox commands

Browse Source 
- Remove outer double quotes from GIT_SSH_COMMAND value in sandbox-utils.ts
  The value should be raw since bwrap --setenv sets it directly without
  shell interpretation

- Use `env` command instead of export string concatenation in macOS sandbox
  Each VAR=value is now a separate argument that shellquote handles properly,
  avoiding shell parsing issues with values containing spaces or quotes

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
ollie-anthropic
2025-12-15 16:00:11 +00:00
parent d35b813640
commit 544308b273
2 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/sandbox/macos-sandbox-utils.ts
View File

@@ -685,7 +685,7 @@ export function wrapCommandWithSandboxMacOS(
})
// Generate proxy environment variables using shared utility
const proxyEnv = `export ${generateProxyEnvVars(httpProxyPort, socksProxyPort).join(' ')} && `
const proxyEnvArgs = generateProxyEnvVars(httpProxyPort, socksProxyPort)
// Use the user's shell (zsh, bash, etc.) to ensure aliases/snapshots work
// Resolve the full path to the shell binary
@@ -696,13 +696,17 @@ export function wrapCommandWithSandboxMacOS(
}
const shell = shellPathResult.stdout.trim()
// Use `env` command to set environment variables - each VAR=value is a separate
// argument that shellquote handles properly, avoiding shell quoting issues
const wrappedCommand = shellquote.quote([
'env',
...proxyEnvArgs,
'sandbox-exec',
'-p',
profile,
shell,
'-c',
proxyEnv + command,
command,
])
logForDebugging(

3
src/sandbox/sandbox-utils.ts
View File

@@ -203,8 +203,9 @@ export function generateProxyEnvVars(
// Configure Git to use SSH through SOCKS proxy (platform-aware)
if (getPlatform() === 'macos') {
// macOS has nc available
// Note: No outer quotes - bwrap --setenv sets the value directly without shell interpretation
envVars.push(
`GIT_SSH_COMMAND="ssh -o ProxyCommand='nc -X 5 -x localhost:${socksProxyPort} %h %p'"`,
`GIT_SSH_COMMAND=ssh -o ProxyCommand='nc -X 5 -x localhost:${socksProxyPort} %h %p'`,
)
}