Gửi #855846: nextlevelbuilder GoClaw 3.13.2 Improper Authorization (CWE-285)thông tin

tiêu đềnextlevelbuilder GoClaw 3.13.2 Improper Authorization (CWE-285)
Mô tả# Technical Details An Improper Authorization issue exists in the `CheckCommand` method in `internal/tools/exec_approval.go` of GoClaw. The application fails to consider command option semantics when classifying "safe" binaries under `tools.execApproval.security="full"` and `tools.execApproval.ask="on-miss"`. The public `POST /v1/tools/invoke` API lets authenticated operators reach `ExecTool.Execute()`, which calls `ExecApprovalManager.CheckCommand(command)`. That code auto-allows any basename in `safeBins`, including `sort` and `grep`, even when their options are used for file writes or recursive reads. # Vulnerable Code File: internal/tools/exec_approval.go Method: ExecApprovalManager.CheckCommand Why: In full-security mode, the code returns `allow` if `m.matchesAllowlist(command) || m.isSafeBin(command)`. The built-in `safeBins` set includes `"sort": true` and `"grep": true`, so `sort -o sort-output.txt input.txt` writes files and `grep -R PATTERN .` recursively reads workspace contents without human approval. # Reproduction 1. Configure GoClaw `3.13.2` with `tools.execApproval.security="full"` and `tools.execApproval.ask="on-miss"`. 2. Send a control `exec` request such as `touch should-require-approval.txt` and verify it creates a pending approval. 3. Send `sort -o sort-output.txt input.txt` or `grep -R SAFE_BINS_STDIN_ONLY_BYPASS_CANARY .` through `POST /v1/tools/invoke` and observe that the actions run without pending approval. # Impact - Operators can write files with `sort -o` and recursively read workspace contents with `grep -R` without review. - This defeats the approval workflow administrators expect to protect the `exec` tool.
Nguồn⚠️ https://github.com/nextlevelbuilder/goclaw/issues/1206
Người dùng Eric-e (UID 97581)
Đệ trình11/06/2026 10:38 (cách đây 1 tháng)
Kiểm duyệt13/07/2026 19:24 (1 month later)
Trạng tháiBản sao
Mục VulDB378127 [nextlevelbuilder GoClaw 3.11.3 exec_approval.go ExecApprovalManager.CheckCommand nâng cao đặc quyền]
điểm0

Do you need the next level of professionalism?

Upgrade your account now!