| 标题 | Sipeed PicoClaw Unreleased main branch after launcher introduction commit `e55b3b7a8d0b1ea1522da08fd46155ee4f58b794` and before a fix is merged Improper Access Control (CWE-284) |
|---|
| 描述 | # Technical Details
An access-control bypass exists in the launcher `IPAllowlist` middleware in `web/backend/middleware/access_control.go` of PicoClaw.
The application fails to distinguish the real remote client from a same-host reverse proxy. The middleware trusts `r.RemoteAddr` as client identity and unconditionally allows loopback peers before evaluating configured `allowed_cidrs`.
# Vulnerable Code
File: `web/backend/middleware/access_control.go`
Method: `IPAllowlist`, `clientIPFromRemoteAddr`
Why: Uses only the immediate TCP peer from `RemoteAddr` and bypasses CIDR checks when the peer is loopback.
File: `web/backend/main.go`
Method: launcher middleware setup
Why: Installs `IPAllowlist` before dashboard authentication, making this the intended network boundary for launcher routes.
# Reproduction
1. Configure the launcher with `public: true` and restrictive `allowed_cidrs`.
2. Place a reverse proxy on the same host that forwards remote traffic to the launcher on `127.0.0.1`.
3. Send a direct non-allowlisted request and observe `403`.
4. Send the same request through the same-host proxy and observe that the launcher accepts it as loopback traffic.
# Impact
- Bypasses launcher network exposure restrictions.
- Exposes endpoints that operators intended to restrict by CIDR.
- May expose `/api/auth/status`, `/api/auth/setup`, and other launcher API routes to unauthorized remote clients. |
|---|
| 来源 | ⚠️ https://github.com/sipeed/picoclaw/issues/3069 |
|---|
| 用户 | Eric-d (UID 96861) |
|---|
| 提交 | 2026-06-09 12時16分 (1 月前) |
|---|
| 管理 | 2026-07-09 20時07分 (1 month later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 377259 [Sipeed PicoClaw 直到 0.2.9 Launcher access_control.go IPAllowlist 权限提升] |
|---|
| 积分 | 20 |
|---|