जमा करें #856826: nextlevelbuilder GoClaw 3.13.3-beta.3 Use of Incorrectly-Resolved Name or Reference (CWE-706)जानकारी

शीर्षकnextlevelbuilder GoClaw 3.13.3-beta.3 Use of Incorrectly-Resolved Name or Reference (CWE-706)
विवरण# Technical Details An Exec Approval Allowlist Basename Collision vulnerability exists in the `matchesAllowlist()` and `extractBin()` methods in `internal/tools/exec_approval.go` of GoClaw. The approval layer resolves the user-supplied command to a basename via `extractBin()` (which returns `filepath.Base(fields[0])`), collapsing relative paths like `./echo` to the basename `echo`. If the allowlist contains `echo`, the check passes. However, execution later runs the original command string (`./echo`) through `/bin/sh -c`, causing a workspace-placed malicious binary to execute with host privileges. # Vulnerable Code File: internal/tools/exec_approval.go Method: matchesAllowlist() and extractBin() Why: `extractBin()` returns `filepath.Base(fields[0])`, so `./echo` resolves to `echo`. `matchesAllowlist()` matches allowlist patterns against this basename first. The approval decision trusts `echo`, but `ExecTool.Execute()` passes the original `./echo` to `executeOnHost()` which runs `/bin/sh -c ./echo`, executing the attacker-controlled workspace binary. # Reproduction 1. Configure GoClaw with `tools.execApproval.security=allowlist` and allowlist `["echo"]`. 2. Place a malicious `echo` binary in the workspace that prints a canary string. 3. Send `POST /v1/tools/invoke` with `{"tool":"exec","args":{"command":"./echo","working_dir":"<workspace>"}}`. 4. Observe: HTTP 200 returned, canary output from the workspace binary. 5. Control test: use allowlist `["/bin/echo"]` — the workspace `./echo` is correctly denied with HTTP 400 and `TOOL_ERROR`. # Impact - Operator-triggered execution of attacker-chosen workspace binaries with GoClaw host privileges - Bypass of exec approval allowlist intended to constrain which commands may run automatically - Local file access, host network reachability, and compromise of secrets or automation capabilities available to the service account
स्रोत⚠️ https://github.com/nextlevelbuilder/goclaw/issues/1213
उपयोगकर्ता
 Erichen (UID 98955)
सबमिशन12/06/2026 10:39 AM (1 महीना पहले)
संयम17/07/2026 05:57 PM (1 month later)
स्थितिस्वीकृत
VulDB प्रविष्टि379829 [nextlevelbuilder GoClaw तक 3.13.3-beta.3 exec_approval.go matchesAllowlist/extractBin अधिकार वृद्धि]
अंक20

Do you know our Splunk app?

Download it now for free!