Submeter #855845: nextlevelbuilder GoClaw 3.13.3-beta.3 Command Execution Policy Bypass (CWE-184)informação

Títulonextlevelbuilder GoClaw 3.13.3-beta.3 Command Execution Policy Bypass (CWE-184)
Descrição# Technical Details A Command Execution Policy Bypass exists in the `matchesAllowlist` method in `internal/tools/exec_approval.go` of GoClaw. The application fails to parse shell chaining operators before approval. The public `POST /v1/tools/invoke` endpoint accepts operator-controlled `args.command`, `matchesAllowlist(command)` approves the request if the first token matches the allowlist, and the host execution sink later passes the original command string to `/bin/sh -c`. A payload like `echo VULN_OK && touch /tmp/canary` is therefore approved because `echo` is allowlisted, while the chained `touch` command also executes. # Vulnerable Code File: internal/tools/exec_approval.go Method: matchesAllowlist Why: The code compares only `extractBin(command)` against the allowlist, while `internal/tools/shell.go` forwards the original string to `executeOnHost()` and `exec.Command(shellPath, "-c", command)`, so shell operators such as `&&` and `;` remain active. # Reproduction 1. Configure GoClaw `3.13.3-beta.3` with the `exec` tool enabled, `security=allowlist`, `ask=off`, and an allowlist containing a leading command such as `echo`. 2. Invoke `POST /v1/tools/invoke` for `exec` with `args.command` set to `echo VULN_OK && touch /tmp/canary`. 3. Observe that the request succeeds and the non-allowlisted `touch` command creates the canary file. # Impact - Authenticated operators can execute additional non-allowlisted commands after an allowlisted prefix. - This can lead to unauthorized file writes, data access, persistence, and broader host-side command execution.
Fonte⚠️ https://github.com/nextlevelbuilder/goclaw/issues/1205
Utilizador Eric-e (UID 97581)
Submissão11/06/2026 10h38 (há 1 mês)
Moderação13/07/2026 19h24 (1 month later)
EstadoDuplicado
Entrada VulDB378127 [nextlevelbuilder GoClaw 3.11.3 exec_approval.go ExecApprovalManager.CheckCommand Elevação de Privilégios]
Pontos0

Do you need the next level of professionalism?

Upgrade your account now!