जमा करें #855845: nextlevelbuilder GoClaw 3.13.3-beta.3 Command Execution Policy Bypass (CWE-184)जानकारी

शीर्षकnextlevelbuilder GoClaw 3.13.3-beta.3 Command Execution Policy Bypass (CWE-184)
विवरण# Technical Details A Command Execution Policy Bypass exists in the `matchesAllowlist` method in `internal/tools/exec_approval.go` of GoClaw. The application fails to parse shell chaining operators before approval. The public `POST /v1/tools/invoke` endpoint accepts operator-controlled `args.command`, `matchesAllowlist(command)` approves the request if the first token matches the allowlist, and the host execution sink later passes the original command string to `/bin/sh -c`. A payload like `echo VULN_OK && touch /tmp/canary` is therefore approved because `echo` is allowlisted, while the chained `touch` command also executes. # Vulnerable Code File: internal/tools/exec_approval.go Method: matchesAllowlist Why: The code compares only `extractBin(command)` against the allowlist, while `internal/tools/shell.go` forwards the original string to `executeOnHost()` and `exec.Command(shellPath, "-c", command)`, so shell operators such as `&&` and `;` remain active. # Reproduction 1. Configure GoClaw `3.13.3-beta.3` with the `exec` tool enabled, `security=allowlist`, `ask=off`, and an allowlist containing a leading command such as `echo`. 2. Invoke `POST /v1/tools/invoke` for `exec` with `args.command` set to `echo VULN_OK && touch /tmp/canary`. 3. Observe that the request succeeds and the non-allowlisted `touch` command creates the canary file. # Impact - Authenticated operators can execute additional non-allowlisted commands after an allowlisted prefix. - This can lead to unauthorized file writes, data access, persistence, and broader host-side command execution.
स्रोत⚠️ https://github.com/nextlevelbuilder/goclaw/issues/1205
उपयोगकर्ता Eric-e (UID 97581)
सबमिशन11/06/2026 10:38 AM (1 महीना पहले)
संयम13/07/2026 07:24 PM (1 month later)
स्थितिप्रतिलिपि
VulDB प्रविष्टि378127 [nextlevelbuilder GoClaw 3.11.3 exec_approval.go ExecApprovalManager.CheckCommand अधिकार वृद्धि]
अंक0

Do you need the next level of professionalism?

Upgrade your account now!