提出 #856883: nearai ironclaw 0.29.1 Improper Link Resolution Before File Access (CWE-59)情報

タイトルnearai ironclaw 0.29.1 Improper Link Resolution Before File Access (CWE-59)
説明# Technical Details A `write_file` sandbox escape exists in the `validate_path()` function in `src/tools/builtin/path_utils.rs` of ironclaw. The sandbox validator resolves existing paths safely via canonicalization, but for non-existent paths it only canonicalizes the nearest existing ancestor and re-appends the unresolved lexical tail. When the final path component is a dangling symlink targeting outside `base_dir`, the validator treats it as a non-existent in-sandbox file, but the later `tokio::fs::write` follows the symlink and writes to the out-of-root target. This path-boundary bypass occurs because the validator and the write sink disagree about the final filesystem target. # Vulnerable Code File: src/tools/builtin/path_utils.rs Method: validate_path() Why: For non-existent paths, the function walks up to the nearest existing ancestor, canonicalizes it, and re-appends the unresolved tail. A dangling final symlink survives this check because `resolved.exists()` is false, so the symlink target is never resolved before `starts_with(base_canonical)`. File: src/tools/builtin/file.rs Method: WriteFileTool::execute() Why: The write sink accepts the validated path and passes it directly to `tokio::fs::write`, which follows the dangling symlink to an out-of-root target. # Reproduction 1. Checkout nearai/ironclaw at release tag `ironclaw-v0.29.1`. 2. Create a dangling symlink inside the sandbox pointing outside `base_dir`. 3. Call `write_file` with the dangling symlink path and crafted content. 4. Observe the write succeeds and the content lands outside the sandbox. 5. Run the control without a symlink and observe the write stays within `base_dir`. # Impact - Arbitrary file write outside the intended `base_dir` sandbox boundary. - Can break isolation between projects, corrupt host-side files, or poison future execution state. - Overwrites configuration and automation artifacts trusted by the runtime.
ソース⚠️ https://github.com/nearai/ironclaw/issues/4797
ユーザー
 Eric-x (UID 94869)
送信2026年06月12日 11:52 (1 月 ago)
モデレーション2026年07月17日 18:16 (1 month later)
ステータス承諾済み
VulDBエントリ379848 [nearai ironclaw 迄 0.29.1 write_file path_utils.rs validate_path 特権昇格]
ポイント20

Do you want to use VulDB in your project?

Use the official API to access entries easily!