From 6990f8aa6e4cf28b27ef2251eec4d197a5564873 Mon Sep 17 00:00:00 2001
From: orbisai0security <mediratta01.pally@gmail.com>
Date: Tue, 5 May 2026 14:33:59 +0000
Subject: [PATCH] fix: V-001 security vulnerability

Automated security fix generated by Orbis Security AI
---
 app/session.ts | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/app/session.ts b/app/session.ts
index 4b706b3d61da..4051822100fb 100644
--- a/app/session.ts
+++ b/app/session.ts
@@ -137,11 +137,12 @@ export default class Session extends EventEmitter {
         .join(':');
     }
 
-    // Electron has a default value for process.env.GOOGLE_API_KEY
-    // We don't want to leak this to the shell
+    // Electron injects certain API keys into process.env that we don't want to leak to the shell
     // See https://github.com/vercel/hyper/issues/696
-    if (baseEnv.GOOGLE_API_KEY && process.env.GOOGLE_API_KEY === baseEnv.GOOGLE_API_KEY) {
-      delete baseEnv.GOOGLE_API_KEY;
+    for (const key of ['GOOGLE_API_KEY', 'GOOGLE_DEFAULT_CLIENT_ID', 'GOOGLE_DEFAULT_CLIENT_SECRET']) {
+      if (baseEnv[key] && process.env[key] === baseEnv[key]) {
+        delete baseEnv[key];
+      }
     }
 
     const options: IWindowsPtyForkOptions = {