| عنوان | nextlevelbuilder GoClaw 3.13.2 Improper Authorization (CWE-285) |
|---|
| الوصف | # Technical Details
An Improper Authorization issue exists in the `CheckCommand` method in `internal/tools/exec_approval.go` of GoClaw.
The application fails to consider command option semantics when classifying "safe" binaries under `tools.execApproval.security="full"` and `tools.execApproval.ask="on-miss"`. The public `POST /v1/tools/invoke` API lets authenticated operators reach `ExecTool.Execute()`, which calls `ExecApprovalManager.CheckCommand(command)`. That code auto-allows any basename in `safeBins`, including `sort` and `grep`, even when their options are used for file writes or recursive reads.
# Vulnerable Code
File: internal/tools/exec_approval.go
Method: ExecApprovalManager.CheckCommand
Why: In full-security mode, the code returns `allow` if `m.matchesAllowlist(command) || m.isSafeBin(command)`. The built-in `safeBins` set includes `"sort": true` and `"grep": true`, so `sort -o sort-output.txt input.txt` writes files and `grep -R PATTERN .` recursively reads workspace contents without human approval.
# Reproduction
1. Configure GoClaw `3.13.2` with `tools.execApproval.security="full"` and `tools.execApproval.ask="on-miss"`.
2. Send a control `exec` request such as `touch should-require-approval.txt` and verify it creates a pending approval.
3. Send `sort -o sort-output.txt input.txt` or `grep -R SAFE_BINS_STDIN_ONLY_BYPASS_CANARY .` through `POST /v1/tools/invoke` and observe that the actions run without pending approval.
# Impact
- Operators can write files with `sort -o` and recursively read workspace contents with `grep -R` without review.
- This defeats the approval workflow administrators expect to protect the `exec` tool. |
|---|
| المصدر | ⚠️ https://github.com/nextlevelbuilder/goclaw/issues/1206 |
|---|
| المستخدم | Eric-e (UID 97581) |
|---|
| ارسال | 11/06/2026 10:38 AM (1 شهر منذ) |
|---|
| الاعتدال | 13/07/2026 07:24 PM (1 month later) |
|---|
| الحالة | مكرر |
|---|
| إدخال VulDB | 378127 [nextlevelbuilder GoClaw 3.11.3 exec_approval.go ExecApprovalManager.CheckCommand تجاوز الصلاحيات] |
|---|
| النقاط | 0 |
|---|