oh-my-opencode/src/features/claude-code-mcp-loader/env-expander.ts at 8a287dfd590bc0a3fc445d6f8a9fce97065bf645 · Vacbo/oh-my-opencode · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
import { log } from "../../shared/logger"
import {
  isAllowedMcpEnvVar,
  isSensitiveMcpEnvVar,
} from "./configure-allowed-env-vars"

export interface ExpandEnvVarsOptions {
  trusted?: boolean
}

export function expandEnvVars(value: string, options: ExpandEnvVarsOptions = {}): string {
  const { trusted = false } = options
  return value.replace(
    /\$\{([^}:]+)(?::-([^}]*))?\}/g,
    (_, varName: string, defaultValue?: string) => {
      if (!trusted && !isAllowedMcpEnvVar(varName)) {
        const isSensitive = isSensitiveMcpEnvVar(varName)
        const reason = isSensitive ? "sensitive variable" : "not in allowlist"

        log(`Blocked MCP env var expansion for ${reason} "${varName}"`, {
          varName,
          sensitive: isSensitive,
        })

        if (defaultValue !== undefined) return defaultValue
        return ""
      }

      const envValue = process.env[varName]
      if (envValue !== undefined) return envValue
      if (defaultValue !== undefined) return defaultValue
      return ""
    }
  )
}

export function expandEnvVarsInObject<T>(obj: T, options: ExpandEnvVarsOptions = {}): T {
  if (obj == null) return obj
  if (typeof obj === "string") return expandEnvVars(obj, options) as T
  if (Array.isArray(obj)) {
    return obj.map((item) => expandEnvVarsInObject(item, options)) as T
  }
  if (typeof obj === "object") {
    const result: Record<string, unknown> = {}
    for (const [key, value] of Object.entries(obj)) {
      result[key] = expandEnvVarsInObject(value, options)
    }
    return result as T
  }
  return obj
}