| शीर्षक | AstrBotDevs AstrBot <= 4.25.5 Improper Link Resolution Before File Access (CWE-59) |
|---|
| विवरण | # Technical Details
An improper link resolution vulnerability exists in the local-runtime filesystem computer-use tools in `astrbot/core/tools/computer_tools/fs.py` of AstrBot.
The application intends to restrict non-admin local-runtime users to approved workspace roots, but the authorization check validates only resolved pathname containment. It does not verify whether the final file object is a hardlink alias to a file outside the workspace. As a result, an in-workspace hardlink can be used to read or overwrite an out-of-workspace file on the same filesystem.
# Vulnerable Code
File: `astrbot/core/tools/computer_tools/fs.py`
Method: `_is_path_within_allowed_roots`
Why: The function resolves the requested path and authorizes it if the pathname is under an allowed root, without validating final inode identity or hardlink aliasing.
File: `astrbot/core/tools/computer_tools/fs.py`
Method: `_normalize_rw_path`
Why: The function accepts the path after pathname containment checks and returns it to the read/write sinks.
File: `astrbot/core/tools/computer_tools/fs.py`
Method: `FileReadTool.call`
Why: The read tool relies on `_normalize_rw_path()` and passes the approved path directly to the local filesystem backend.
File: `astrbot/core/tools/computer_tools/fs.py`
Method: `FileWriteTool.call`
Why: The write tool performs the same flawed authorization flow and forwards the approved path to `sb.fs.write_file`, enabling overwrite of the outside file through the hardlink alias.
# Reproduction
1. Run AstrBot `<= 4.25.5` in local runtime mode with `provider_settings.computer_use_require_admin=True`.
2. Use a non-admin `member` session with workspace access such as `data/workspaces/qq_friend_hardlink`.
3. Create an out-of-workspace file on the same filesystem that the AstrBot process can read or write.
4. Confirm that direct access such as `../outside/secret.txt` is denied by `astrbot_file_read_tool` and `astrbot_file_write_tool`.
5. Create an in-workspace hardlink, for example `linked.txt`, pointing to the outside file.
6. Read `linked.txt` through `FileReadTool.call()` and observe that the outside file content is returned.
7. Write `linked.txt` through `FileWriteTool.call()` and observe that the outside file content changes.
# Impact
- A non-admin local-runtime member can bypass AstrBot's workspace-only filesystem boundary.
- The attacker can read host-local files outside the intended workspace if those files can be hardlinked and are readable by the AstrBot process.
- The attacker can overwrite out-of-workspace files under the same hardlink and process-permission conditions.
- This compromises confidentiality and integrity of files reachable under the AstrBot runtime account. |
|---|
| स्रोत | ⚠️ https://gist.github.com/YLChen-007/d2581be79bb3caf9a032b0614dfc7728 |
|---|
| उपयोगकर्ता | Eric-d (UID 96861) |
|---|
| सबमिशन | 09/06/2026 12:05 PM (1 महीना पहले) |
|---|
| संयम | 17/07/2026 03:39 PM (1 month later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 379792 [AstrBotDevs AstrBot तक 4.25.5 Filesystem Computer-Use Tool fs.py _normalize_rw_path अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|