إرسال #855804: nextlevelbuilder GoClaw 3.11.3 Command Execution Policy Bypass (CWE-184)المعلومات

عنوانnextlevelbuilder GoClaw 3.11.3 Command Execution Policy Bypass (CWE-184)
الوصف# Technical Details A Command Execution Policy Bypass exists in the `CheckCommand` method in `internal/tools/exec_approval.go` of GoClaw. The application fails to validate the full command semantics under `tools.execApproval.security=allowlist`. The public `POST /v1/tools/invoke` API accepts operator-supplied `args.command`, `ExecApprovalManager.CheckCommand()` classifies only the outer token via `extractBin(command)`, and `ExecTool.executeOnHost()` later passes the original string to `sh -c`. A transparent wrapper such as `env` can therefore be allowlisted while an inner shell payload still executes. # Vulnerable Code File: internal/tools/exec_approval.go Method: ExecApprovalManager.CheckCommand Why: Policy uses `matchesAllowlist(command)` and `extractBin(command)` to classify `env /bin/sh -c 'echo VULNERABLE_BYPASS > marker.txt'` as `env`, but `internal/tools/shell.go` later executes the original command string with `exec.Command("sh", "-c", command)`. # Reproduction 1. Enable the `exec` builtin on GoClaw `3.11.3` and configure `tools.execApproval.security=allowlist` with a wrapper such as `env` in the allowlist. 2. Send `POST /v1/tools/invoke` to the `exec` tool with a payload like `env /bin/sh -c 'echo VULNERABLE_BYPASS > marker.txt'`. 3. Observe that the request is approved as `env` and the inner shell command still creates the marker file. # Impact - Authenticated operators can execute shell payloads that should be blocked by the allowlist. - This breaks the intended host-command restriction boundary and enables unauthorized file writes and further host-side command execution.
المصدر⚠️ https://github.com/nextlevelbuilder/goclaw/issues/1200
المستخدم
 Eric-b (UID 96354)
ارسال11/06/2026 09:10 AM (1 شهر منذ)
الاعتدال13/07/2026 07:23 PM (1 month later)
الحالةتمت الموافقة
إدخال VulDB378127 [nextlevelbuilder GoClaw 3.11.3 exec_approval.go ExecApprovalManager.CheckCommand تجاوز الصلاحيات]
النقاط20

Do you want to use VulDB in your project?

Use the official API to access entries easily!