提出 #856856: nextlevelbuilder GoClaw 3.13.2 Incorrect Authorization (CWE-863)情報

タイトルnextlevelbuilder GoClaw 3.13.2 Incorrect Authorization (CWE-863)
説明# Technical Details An authorization bypass exists in the `exec` approval flow in `internal/tools/exec_approval.go` of GoClaw. The application uses only the basename (`filepath.Base`) of the command as the trust key in the `alwaysAllow` map. When an operator approves a pathless command like `canary-bin` with `always=true`, a later path-scoped command such as `./canary-bin` or `/tmp/canary-bin` is accepted without a second approval because they all normalize to the same cache key `canary-bin`, even though they resolve to different executables. # Vulnerable Code File: internal/tools/exec_approval.go Method: extractBin() / RequestApproval() / matchesAllowlist() Why: `extractBin()` calls `filepath.Base(fields[0])`, collapsing `canary-bin`, `./canary-bin`, and `/tmp/canary-bin` all to the same key `canary-bin`. `RequestApproval()` stores `always=true` trust decisions under this basename-only key. Later `matchesAllowlist()` reuses the same key, so a different path-scoped executable from the caller-controlled working directory satisfies the previously granted trust without a new approval. # Reproduction 1. Configure `tools.execApproval.security=allowlist` and `tools.execApproval.ask=on-miss` with an empty allowlist. 2. Seed `PATH` with a benign `canary-bin` that prints `PATH_OK`. 3. Place a different `./canary-bin` in the workspace that writes `BYPASS_CONFIRMED`. 4. Invoke `canary-bin` via `POST /v1/tools/invoke` and approve the pending request with `always=true`. 5. Invoke `./canary-bin` via the same endpoint — it succeeds immediately with no second approval, executing the workspace binary. # Impact - Attackers can reuse one `allow-always` approval for a pathless executable to execute attacker-chosen binaries from a writable workspace on the host. - Bypasses the intended human confirmation boundary in deployments relying on `allowlist + ask=on-miss` approval mode. - Allows unauthorized host command execution by subverting the exec approval policy.
ソース⚠️ https://github.com/nextlevelbuilder/goclaw/issues/1216
ユーザー
 Eric-g (UID 96879)
送信2026年06月12日 10:54 (1 月 ago)
モデレーション2026年07月17日 17:57 (1 month later)
ステータス承諾済み
VulDBエントリ379831 [nextlevelbuilder GoClaw 迄 3.13.2 exec_approval.go extractBin/RequestApproval/matchesAllowlist 特権昇格]
ポイント20

Do you need the next level of professionalism?

Upgrade your account now!