| tiêu đề | nextlevelbuilder GoClaw 3.13.3-beta.3 Server-Side Request Forgery (CWE-918) |
|---|
| Mô tả | # Technical Details
A Server-Side Request Forgery exists in the `bytePlusDownloadVideo` method in `internal/tools/create_video_byteplus.go` of GoClaw.
The application fails to apply the product's SSRF protections to provider-returned media URLs. An authenticated operator can invoke `POST /v1/tools/invoke` and trigger the `create_video` workflow. If the upstream provider returns a malicious `output.video_url`, GoClaw fetches that URL with a plain `http.Client` from the gateway host itself. The issue also affects the same provider-returned download pattern in `internal/tools/create_video_gemini.go` and `internal/tools/create_video_minimax.go`.
# Vulnerable Code
File: internal/tools/create_video_byteplus.go
Method: bytePlusDownloadVideo
Why: After task success, the code reads `taskResp.Output.VideoURL` and downloads it with `http.NewRequestWithContext(..., videoURL, nil)` and `client.Do(req)` instead of using SSRF validation like `CheckSSRF(...)` and pinned-IP dialing used elsewhere such as `internal/tools/web_fetch.go`.
# Reproduction
1. Configure a vulnerable GoClaw instance on version `3.13.3-beta.3` with the `create_video` tool enabled and point it at a controlled or malicious video provider.
2. Invoke `POST /v1/tools/invoke` for `create_video` so the provider returns a crafted `video_url` such as a loopback or internal-network endpoint.
3. Observe that the GoClaw server fetches the attacker-chosen internal URL from the gateway host during media download.
# Impact
- Authenticated operators can coerce the gateway into fetching loopback, private-network, or metadata URLs.
- Internal HTTP responses, admin panels, and other non-public network resources may become reachable from the server's network position. |
|---|
| Nguồn | ⚠️ https://github.com/nextlevelbuilder/goclaw/issues/1199 |
|---|
| Người dùng | Eric-b (UID 96354) |
|---|
| Đệ trình | 11/06/2026 09:10 (cách đây 1 tháng) |
|---|
| Kiểm duyệt | 13/07/2026 19:23 (1 month later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 378126 [nextlevelbuilder GoClaw 3.13.3-beta.3 invoke Endpoint create_video_byteplus.go bytePlusDownloadVideo output.video_url nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|