| tiêu đề | Sipeed PicoClaw <= 0.2.9 Time-of-check Time-of-use Race Condition (CWE-367) |
|---|
| Mô tả | # Technical Details
A TOCTOU race condition exists in the `exec` approval workflow in `pkg/agent/pipeline_execute.go`, `pkg/agent/hooks.go`, and `pkg/tools/shell.go` of PicoClaw.
The application fails to bind the directory identity reviewed by approval hooks to the directory ultimately used for command execution. Approval receives a raw mutable `cwd` string, while `ExecTool.executeRun()` later re-resolves symlinks immediately before launching the process.
# Vulnerable Code
File: `pkg/agent/pipeline_execute.go`
Method: tool approval request construction
Why: Passes raw `toolArgs`, including `cwd`, to approval hooks.
File: `pkg/agent/hooks.go`
Method: `ToolApprovalRequest`
Why: Stores `Arguments map[string]any`, so approval policies reason about an unbound path string.
File: `pkg/tools/shell.go`
Method: `ExecTool.executeRun`
Why: Calls `filepath.EvalSymlinks(cwd)` after approval and before `runSync`, allowing a symlink target swap to change the execution directory.
# Reproduction
1. Configure PicoClaw with hooks enabled and the `exec` tool enabled.
2. Create a workspace-local symlink `cwd-link` initially pointing to a safe directory.
3. Trigger an `exec` tool call using `cwd-link` and pause while approval is pending.
4. Retarget `cwd-link` to another workspace directory before execution resumes.
5. Observe approval saw the safe directory, but execution runs in the attacker-selected directory.
# Impact
- Breaks approval integrity for directory-sensitive command execution.
- Allows relative reads, writes, and command behavior to differ from what was approved.
- Undermines deployments that rely on approval hooks as a safety boundary for `exec`. |
|---|
| Nguồn | ⚠️ https://github.com/sipeed/picoclaw/issues/3081 |
|---|
| Người dùng | Eric-i (UID 97584) |
|---|
| Đệ trình | 09/06/2026 13:29 (cách đây 1 tháng) |
|---|
| Kiểm duyệt | 17/07/2026 15:50 (1 month later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 379794 [Sipeed PicoClaw đến 0.2.9 pipeline_execute.go ExecTool.executeRun cwe điều kiện tranh chấp] |
|---|
| điểm | 20 |
|---|