| 标题 | Sipeed PicoClaw <= 0.2.9 Authentication Bypass by Capture-replay (CWE-294) |
|---|
| 描述 | # Technical Details
A webhook replay vulnerability exists in the LINE channel in `pkg/channels/line/line.go` of PicoClaw.
The application fails to suppress duplicate LINE webhook events after signature verification. `webhook.ParseRequest` validates the HMAC signature, but the handler dispatches every parsed event without replay cache or idempotency checks keyed by the stable LINE `message.id`.
# Vulnerable Code
File: `pkg/channels/line/line.go`
Method: LINE webhook handler
Why: Validates the signature, returns `200 OK`, and dispatches every event asynchronously without replay suppression.
File: `pkg/channels/line/line.go`
Method: `processEvent`
Why: Copies the stable LINE `message.id` into `InboundContext.MessageID` but never checks whether that ID has already been processed.
# Reproduction
1. Capture or construct a valid signed LINE webhook body.
2. Send the same signed webhook delivery twice to PicoClaw's LINE webhook endpoint.
3. Observe both requests receive `200`.
4. Observe the internal collector records two inbound events with the same `message.id`.
5. Run a control with distinct message IDs and observe each distinct event produces one delivery.
# Impact
- Allows duplicate agent execution for a single LINE platform event.
- Can trigger repeated replies, repeated external tool actions, duplicated workflow transitions, and unnecessary LLM/API spend.
- Breaks the guarantee that one platform message maps to one internal action. |
|---|
| 来源 | ⚠️ https://github.com/sipeed/picoclaw/issues/3073 |
|---|
| 用户 | Eric-i (UID 97584) |
|---|
| 提交 | 2026-06-09 13時29分 (1 月前) |
|---|
| 管理 | 2026-07-17 15時50分 (1 month later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 379795 [Sipeed PicoClaw 直到 0.2.9 LINE Webhook line.go webhook.ParseRequest 弱身份验证] |
|---|
| 积分 | 20 |
|---|