Enviar #855848: nextlevelbuilder GoClaw 3.13.2 OS Command Injection (CWE-78)información

Títulonextlevelbuilder GoClaw 3.13.2 OS Command Injection (CWE-78)
Descripción# Technical Details An OS Command Injection vulnerability exists in the `matchesAllowlist` method in `internal/tools/exec_approval.go` of GoClaw. The application fails to normalize or segment shell chains before approval. The documented `POST /v1/tools/invoke` API accepts user-controlled `args.command`, `ExecApprovalManager.CheckCommand()` authorizes the request if the first token matches the allowlist, and `ExecTool.Execute()` later executes the unchanged command string with `/bin/sh -c` on POSIX systems. As a result, a payload like `echo allowlisted && touch /path/to/canary` is approved because the first token is `echo`, but the shell also executes the second command segment. # Vulnerable Code File: internal/tools/exec_approval.go Method: matchesAllowlist Why: The allowlist compares only `extractBin(command)` to configured patterns. After that, `internal/tools/shell.go` calls `executeOnHost(ctx, command, cwd)` and `exec.Command(shellPath, "-c", command)`, so shell operators such as `&&` remain interpreted by the host shell. # Reproduction 1. Configure GoClaw `3.13.2` with the built-in `exec` tool enabled, `tools.execApproval.security="allowlist"`, `tools.execApproval.ask="off"`, and an allowlist containing `echo`. 2. Submit `POST /v1/tools/invoke` with `args.command` set to `echo allowlisted && touch /path/to/canary`. 3. Confirm that a direct `touch /path/to/canary` request is denied but the chained payload is accepted and creates the canary file. # Impact - Authenticated operators can execute non-allowlisted host commands by chaining them after an allowlisted prefix. - This permits unauthorized file creation, modification, follow-on payload staging, and broader host-side command execution.
Fuente⚠️ https://github.com/nextlevelbuilder/goclaw/issues/1208
Usuario Eric-e (UID 97581)
Sumisión2026-06-11 10:39 (hace 1 mes)
Moderación2026-07-13 19:24 (1 month later)
EstadoDuplicado
Entrada de VulDB378127 [nextlevelbuilder GoClaw 3.11.3 exec_approval.go ExecApprovalManager.CheckCommand escalada de privilegios]
Puntos0

Do you need the next level of professionalism?

Upgrade your account now!