| 제목 | nextlevelbuilder GoClaw 3.13.2 OS Command Injection (CWE-78) |
|---|
| 설명 | # Technical Details
An OS Command Injection vulnerability exists in the `matchesAllowlist` method in `internal/tools/exec_approval.go` of GoClaw.
The application fails to normalize or segment shell chains before approval. The documented `POST /v1/tools/invoke` API accepts user-controlled `args.command`, `ExecApprovalManager.CheckCommand()` authorizes the request if the first token matches the allowlist, and `ExecTool.Execute()` later executes the unchanged command string with `/bin/sh -c` on POSIX systems. As a result, a payload like `echo allowlisted && touch /path/to/canary` is approved because the first token is `echo`, but the shell also executes the second command segment.
# Vulnerable Code
File: internal/tools/exec_approval.go
Method: matchesAllowlist
Why: The allowlist compares only `extractBin(command)` to configured patterns. After that, `internal/tools/shell.go` calls `executeOnHost(ctx, command, cwd)` and `exec.Command(shellPath, "-c", command)`, so shell operators such as `&&` remain interpreted by the host shell.
# Reproduction
1. Configure GoClaw `3.13.2` with the built-in `exec` tool enabled, `tools.execApproval.security="allowlist"`, `tools.execApproval.ask="off"`, and an allowlist containing `echo`.
2. Submit `POST /v1/tools/invoke` with `args.command` set to `echo allowlisted && touch /path/to/canary`.
3. Confirm that a direct `touch /path/to/canary` request is denied but the chained payload is accepted and creates the canary file.
# Impact
- Authenticated operators can execute non-allowlisted host commands by chaining them after an allowlisted prefix.
- This permits unauthorized file creation, modification, follow-on payload staging, and broader host-side command execution. |
|---|
| 원천 | ⚠️ https://github.com/nextlevelbuilder/goclaw/issues/1208 |
|---|
| 사용자 | Eric-e (UID 97581) |
|---|
| 제출 | 2026. 06. 11. AM 10:39 (1 월 ago) |
|---|
| 모더레이션 | 2026. 07. 13. PM 07:24 (1 month later) |
|---|
| 상태 | 중복 |
|---|
| VulDB 항목 | 378127 [nextlevelbuilder GoClaw 3.11.3 exec_approval.go ExecApprovalManager.CheckCommand 권한 상승] |
|---|
| 포인트들 | 0 |
|---|