Submeter #855848: nextlevelbuilder GoClaw 3.13.2 OS Command Injection (CWE-78)informação

Títulonextlevelbuilder GoClaw 3.13.2 OS Command Injection (CWE-78)
Descrição# Technical Details An OS Command Injection vulnerability exists in the `matchesAllowlist` method in `internal/tools/exec_approval.go` of GoClaw. The application fails to normalize or segment shell chains before approval. The documented `POST /v1/tools/invoke` API accepts user-controlled `args.command`, `ExecApprovalManager.CheckCommand()` authorizes the request if the first token matches the allowlist, and `ExecTool.Execute()` later executes the unchanged command string with `/bin/sh -c` on POSIX systems. As a result, a payload like `echo allowlisted && touch /path/to/canary` is approved because the first token is `echo`, but the shell also executes the second command segment. # Vulnerable Code File: internal/tools/exec_approval.go Method: matchesAllowlist Why: The allowlist compares only `extractBin(command)` to configured patterns. After that, `internal/tools/shell.go` calls `executeOnHost(ctx, command, cwd)` and `exec.Command(shellPath, "-c", command)`, so shell operators such as `&&` remain interpreted by the host shell. # Reproduction 1. Configure GoClaw `3.13.2` with the built-in `exec` tool enabled, `tools.execApproval.security="allowlist"`, `tools.execApproval.ask="off"`, and an allowlist containing `echo`. 2. Submit `POST /v1/tools/invoke` with `args.command` set to `echo allowlisted && touch /path/to/canary`. 3. Confirm that a direct `touch /path/to/canary` request is denied but the chained payload is accepted and creates the canary file. # Impact - Authenticated operators can execute non-allowlisted host commands by chaining them after an allowlisted prefix. - This permits unauthorized file creation, modification, follow-on payload staging, and broader host-side command execution.
Fonte⚠️ https://github.com/nextlevelbuilder/goclaw/issues/1208
Utilizador Eric-e (UID 97581)
Submissão11/06/2026 10h39 (há 1 mês)
Moderação13/07/2026 19h24 (1 month later)
EstadoDuplicado
Entrada VulDB378127 [nextlevelbuilder GoClaw 3.11.3 exec_approval.go ExecApprovalManager.CheckCommand Elevação de Privilégios]
Pontos0

Do you need the next level of professionalism?

Upgrade your account now!