fix(cli): prevent ZX_* control-plane injection via --env file

l3tchupkt · l3tchupkt · commit ade620795fc2 · 2026-03-30T18:48:13.000+05:30
loading a .env file via --env merges its contents into process.env, which
resolveDefaults() then blindly promotes into live execution settings.  An
attacker who can modify the .env file (supply-chain PR, compromised dep) can
set ZX_PREFIX/ZX_POSTFIX/ZX_SHELL to arbitrary shell code that runs for every
 call in an otherwise-trusted script.

Fix: snapshot ZX_* keys present in process.env before dotenv.config() runs,
then purge any ZX_* key introduced by the file before resolveDefaults() sees
the environment.  Legitimate ZX_* variables set by the operator (e.g. from the
shell that launched zx) are preserved; only file-injected ones are stripped.

Reported-by: LAKSHMIKANTHAN K (letchupkt)
CWE: CWE-94 / CWE-77 (Command Injection)
diff --git a/src/cli.ts b/src/cli.ts
@@ -112,7 +112,19 @@ export async function main(): Promise<void> {
   if (argv.cwd) $.cwd = argv.cwd
   if (argv.env) {
     const envfile = path.resolve($.cwd ?? process.cwd(), argv.env)
+    // Security: snapshot the ZX_* keys that existed BEFORE loading the env
+    // file so that attacker-controlled entries (e.g. ZX_PREFIX, ZX_POSTFIX,
+    // ZX_SHELL) cannot pollute the execution control-plane.
+    const zxKeysBefore = new Set(
+      Object.keys(process.env).filter((k) => k.startsWith('ZX_'))
+    )
     dotenv.config(envfile)
+    // Purge any ZX_* key that was not present before the env-file was loaded.
+    for (const k of Object.keys(process.env)) {
+      if (k.startsWith('ZX_') && !zxKeysBefore.has(k)) {
+        delete process.env[k]
+      }
+    }
     resolveDefaults()
   }
   if (argv.verbose) $.verbose = true
