| عنوان | Sipeed PicoClaw <= 0.2.9 Server-Side Request Forgery (CWE-918) |
|---|
| الوصف | # Technical Details
A Server-Side Request Forgery protection bypass exists in the `WebFetchTool.Execute` / HTTP client proxy path in `pkg/tools/integration/web.go` and `pkg/utils/http_client.go` of PicoClaw.
The application fails to validate the final destination reached through environment-configured HTTP proxies. When `tools.web.proxy` is empty, `CreateHTTPClient` uses `http.ProxyFromEnvironment`; `allowConfiguredProxyFirstHop` then allowlists only the proxy first hop, while the proxy resolves and connects to the attacker-controlled internal destination.
# Vulnerable Code
File: `pkg/utils/http_client.go`
Method: `CreateHTTPClient`
Why: Uses `http.ProxyFromEnvironment` when no explicit proxy is configured, causing `HTTP_PROXY`, `HTTPS_PROXY`, or `ALL_PROXY` to alter the final request path.
File: `pkg/tools/integration/web.go`
Method: `WebFetchTool.Execute`, `allowConfiguredProxyFirstHop`, `newSafeDialContext`
Why: The SSRF dial guard validates the proxy first hop and returns early for that host, but does not validate the final URL destination that the proxy connects to.
# Reproduction
1. Run PicoClaw <= 0.2.9 with `web_fetch` enabled, `tools.web.proxy` empty, and `HTTP_PROXY` set to an attacker-controlled/local proxy.
2. Trigger `web_fetch` with a URL such as `http://metadata.internal-target.test:<port>/secret`.
3. Observe the proxy receives the absolute internal destination URL and PicoClaw returns the internal canary response.
4. Run the same request without the proxy environment variable and observe the canary is not retrieved.
# Impact
- Bypasses PicoClaw's intended private-host SSRF protection.
- Allows retrieval of loopback/internal HTTP resources through a proxy.
- May expose cloud metadata endpoints, local admin services, internal APIs, credentials, or network topology. |
|---|
| المصدر | ⚠️ https://github.com/sipeed/picoclaw/issues/3078 |
|---|
| المستخدم | Eric-d (UID 96861) |
|---|
| ارسال | 09/06/2026 12:12 PM (1 شهر منذ) |
|---|
| الاعتدال | 09/07/2026 08:07 PM (1 month later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 377257 [Sipeed PicoClaw حتى 0.2.9 Guarded Web Fetch Flow web.go WebFetchTool.Execute تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|