| tiêu đề | zevorn rt-claw 0.2.0 Server-Side Request Forgery (CWE-918) |
|---|
| Mô tả | # Technical Details
A Server-Side Request Forgery vulnerability exists in the `http_request` tool in `claw/tools/tool_net.c` of rt-claw v0.2.0.
The application fails to validate destination URLs before performing outbound HTTP requests through the AI tool pipeline. When a user (or attacker) influences the assistant to invoke `http_request`, the tool reads the supplied `url` argument and passes it directly to `claw_net_get()` / `claw_net_post()`. The Linux backend in `osal/linux/claw_net_linux.c` then hands the unvalidated URL to libcurl without rejecting loopback addresses, RFC1918 ranges, or link-local targets. The response body is returned in the conversation output, making this non-blind SSRF. Remote IM integrations (Telegram, Feishu) feed untrusted message text into `ai_chat()`, providing a fully remote attack path.
# Vulnerable Code
File: claw/tools/tool_net.c (lines 402–450)
Method: tool_http_request() → claw_net_get() / claw_net_post()
Why: The function accepts URL from attacker-influenced tool-call parameters and forwards it without destination filtering. The Linux sink at `osal/linux/claw_net_linux.c` lines 115–126 sets `curl_easy_setopt(curl, CURLOPT_URL, url)` with no loopback/private-network guard.
# Reproduction
1. Build rt-claw v0.2.0 for Linux with `-Dosal=linux -Dtool_net=true`
2. Start a localhost canary HTTP server on `127.0.0.1` serving `/secret` and `/public`
3. Start a mock AI provider that returns `tool_calls` directing `http_request` to `http://127.0.0.1:<port>/secret`
4. Run the verification flow — canary server logs `canary hit /secret`, tool result contains the secret body
5. Run control: direct `http_request` to `/public` only — the `/secret` endpoint is never touched
# Impact
- Attackers can read loopback-only web interfaces, internal HTTP services, and cloud metadata endpoints
- Non-blind SSRF: HTTP response bodies are returned directly in tool output
- Default-enabled `tool_net` increases exposure in any deployment wiring remote input into the assistant
- Reachable via Telegram and Feishu IM integrations which forward untrusted messages into `ai_chat()` |
|---|
| Nguồn | ⚠️ https://github.com/zevorn/rt-claw/issues/139 |
|---|
| Người dùng | Eric-y (UID 95889) |
|---|
| Đệ trình | 12/06/2026 11:39 (cách đây 1 tháng) |
|---|
| Kiểm duyệt | 17/07/2026 18:08 (1 month later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 379839 [zevorn rt-claw đến 0.2.0 http_request claw/tools/tool_net.c claw_net_get/claw_net_post url nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|