Soumettre #856883: nearai ironclaw 0.29.1 Improper Link Resolution Before File Access (CWE-59)information

Titrenearai ironclaw 0.29.1 Improper Link Resolution Before File Access (CWE-59)
Description# Technical Details A `write_file` sandbox escape exists in the `validate_path()` function in `src/tools/builtin/path_utils.rs` of ironclaw. The sandbox validator resolves existing paths safely via canonicalization, but for non-existent paths it only canonicalizes the nearest existing ancestor and re-appends the unresolved lexical tail. When the final path component is a dangling symlink targeting outside `base_dir`, the validator treats it as a non-existent in-sandbox file, but the later `tokio::fs::write` follows the symlink and writes to the out-of-root target. This path-boundary bypass occurs because the validator and the write sink disagree about the final filesystem target. # Vulnerable Code File: src/tools/builtin/path_utils.rs Method: validate_path() Why: For non-existent paths, the function walks up to the nearest existing ancestor, canonicalizes it, and re-appends the unresolved tail. A dangling final symlink survives this check because `resolved.exists()` is false, so the symlink target is never resolved before `starts_with(base_canonical)`. File: src/tools/builtin/file.rs Method: WriteFileTool::execute() Why: The write sink accepts the validated path and passes it directly to `tokio::fs::write`, which follows the dangling symlink to an out-of-root target. # Reproduction 1. Checkout nearai/ironclaw at release tag `ironclaw-v0.29.1`. 2. Create a dangling symlink inside the sandbox pointing outside `base_dir`. 3. Call `write_file` with the dangling symlink path and crafted content. 4. Observe the write succeeds and the content lands outside the sandbox. 5. Run the control without a symlink and observe the write stays within `base_dir`. # Impact - Arbitrary file write outside the intended `base_dir` sandbox boundary. - Can break isolation between projects, corrupt host-side files, or poison future execution state. - Overwrites configuration and automation artifacts trusted by the runtime.
La source⚠️ https://github.com/nearai/ironclaw/issues/4797
Utilisateur
 Eric-x (UID 94869)
Soumission12/06/2026 11:52 (il y a 1 mois)
Modérer17/07/2026 18:16 (1 month later)
StatutAccepté
Entrée VulDB379848 [nearai ironclaw jusqu’à 0.29.1 write_file path_utils.rs validate_path élévation de privilèges]
Points20

Do you want to use VulDB in your project?

Use the official API to access entries easily!