| タイトル | haojing8312 WorkClaw v0.1.0 - v0.6.3 Incomplete Blacklist |
|---|
| 説明 | The is_dangerous function contains critical security vulnerabilities that lead to CWE-78: OS Command Injection and CWE-184: Incomplete Blacklist. The function attempts to block malicious system commands using a hardcoded blacklist and naive substring matching, but its flawed design enables complete bypass of all protection mechanisms, exposing the system to severe risks including arbitrary command execution, data loss, and system compromise.
The core issue stems from improper input validation and filtering. The function only checks for fixed hardcoded patterns with strict single-space formatting, failing to handle common shell syntax variations such as multiple spaces, tabs, line breaks, quoted parameters, escaped characters, and absolute command paths. It performs no command boundary validation, allowing attackers to easily construct malicious commands that avoid substring matching. Additionally, the blacklist is extremely limited and misses widespread dangerous operations, while the lowercase conversion provides no real security value on case-sensitive operating systems.
These weaknesses mean the function cannot effectively neutralize special elements within OS commands. Attackers can craft valid malicious commands that bypass detection entirely, leading to unauthorized system modification, file deletion, disk formatting, and full system takeover. This inadequate filtering creates a critical security gap under the pretext of protection, making the function unsafe for production use and directly enabling OS command injection attacks.
More details: https://github.com/haojing8312/WorkClaw/issues/4 |
|---|
| ソース | ⚠️ https://github.com/haojing8312/WorkClaw/issues/4 |
|---|
| ユーザー | ybdesire (UID 83239) |
|---|
| 送信 | 2026年04月29日 16:31 (1 月 ago) |
|---|
| モデレーション | 2026年05月26日 12:39 (27 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 365627 [haojing8312 WorkClaw 迄 0.6.4 Blacklist bash.rs is_dangerous 特権昇格] |
|---|
| ポイント | 20 |
|---|