Submit #815713: haojing8312 WorkClaw v0.1.0 - v0.6.3 Incomplete Blacklistinfo

Titlehaojing8312 WorkClaw v0.1.0 - v0.6.3 Incomplete Blacklist
DescriptionThe is_dangerous function contains critical security vulnerabilities that lead to CWE-78: OS Command Injection and CWE-184: Incomplete Blacklist. The function attempts to block malicious system commands using a hardcoded blacklist and naive substring matching, but its flawed design enables complete bypass of all protection mechanisms, exposing the system to severe risks including arbitrary command execution, data loss, and system compromise. The core issue stems from improper input validation and filtering. The function only checks for fixed hardcoded patterns with strict single-space formatting, failing to handle common shell syntax variations such as multiple spaces, tabs, line breaks, quoted parameters, escaped characters, and absolute command paths. It performs no command boundary validation, allowing attackers to easily construct malicious commands that avoid substring matching. Additionally, the blacklist is extremely limited and misses widespread dangerous operations, while the lowercase conversion provides no real security value on case-sensitive operating systems. These weaknesses mean the function cannot effectively neutralize special elements within OS commands. Attackers can craft valid malicious commands that bypass detection entirely, leading to unauthorized system modification, file deletion, disk formatting, and full system takeover. This inadequate filtering creates a critical security gap under the pretext of protection, making the function unsafe for production use and directly enabling OS command injection attacks. More details: https://github.com/haojing8312/WorkClaw/issues/4
Source⚠️ https://github.com/haojing8312/WorkClaw/issues/4
User
 ybdesire (UID 83239)
Submission04/29/2026 16:31 (2 months ago)
Moderation05/26/2026 12:39 (27 days later)
StatusAccepted
VulDB entry365627 [haojing8312 WorkClaw up to 0.6.4 Blacklist bash.rs is_dangerous os command injection]
Points20

Do you need the next level of professionalism?

Upgrade your account now!