Soumettre #856856: nextlevelbuilder GoClaw 3.13.2 Incorrect Authorization (CWE-863)information

Titrenextlevelbuilder GoClaw 3.13.2 Incorrect Authorization (CWE-863)
Description# Technical Details An authorization bypass exists in the `exec` approval flow in `internal/tools/exec_approval.go` of GoClaw. The application uses only the basename (`filepath.Base`) of the command as the trust key in the `alwaysAllow` map. When an operator approves a pathless command like `canary-bin` with `always=true`, a later path-scoped command such as `./canary-bin` or `/tmp/canary-bin` is accepted without a second approval because they all normalize to the same cache key `canary-bin`, even though they resolve to different executables. # Vulnerable Code File: internal/tools/exec_approval.go Method: extractBin() / RequestApproval() / matchesAllowlist() Why: `extractBin()` calls `filepath.Base(fields[0])`, collapsing `canary-bin`, `./canary-bin`, and `/tmp/canary-bin` all to the same key `canary-bin`. `RequestApproval()` stores `always=true` trust decisions under this basename-only key. Later `matchesAllowlist()` reuses the same key, so a different path-scoped executable from the caller-controlled working directory satisfies the previously granted trust without a new approval. # Reproduction 1. Configure `tools.execApproval.security=allowlist` and `tools.execApproval.ask=on-miss` with an empty allowlist. 2. Seed `PATH` with a benign `canary-bin` that prints `PATH_OK`. 3. Place a different `./canary-bin` in the workspace that writes `BYPASS_CONFIRMED`. 4. Invoke `canary-bin` via `POST /v1/tools/invoke` and approve the pending request with `always=true`. 5. Invoke `./canary-bin` via the same endpoint — it succeeds immediately with no second approval, executing the workspace binary. # Impact - Attackers can reuse one `allow-always` approval for a pathless executable to execute attacker-chosen binaries from a writable workspace on the host. - Bypasses the intended human confirmation boundary in deployments relying on `allowlist + ask=on-miss` approval mode. - Allows unauthorized host command execution by subverting the exec approval policy.
La source⚠️ https://github.com/nextlevelbuilder/goclaw/issues/1216
Utilisateur
 Eric-g (UID 96879)
Soumission12/06/2026 10:54 (il y a 1 mois)
Modérer17/07/2026 17:57 (1 month later)
StatutAccepté
Entrée VulDB379831 [nextlevelbuilder GoClaw jusqu’à 3.13.2 exec_approval.go extractBin/RequestApproval/matchesAllowlist élévation de privilèges]
Points20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!