| 标题 | nextlevelbuilder GoClaw 3.13.3-beta.3 Path Traversal / Sandbox Escape (CWE-22) |
|---|
| 描述 | # Technical Details
A Path Traversal / Sandbox Escape exists in the `resolvePath` method in `internal/providers/acp/tool_bridge.go` of GoClaw.
The application fails to safely resolve dangling symlinks before writing ACP files. An ACP-backed agent can create a dangling symlink inside the configured workspace and then call `fs/writeTextFile` on that in-workspace path. When `filepath.EvalSymlinks(cleaned)` fails, the validator falls back to the lexical path, which still appears inside the workspace, and `os.WriteFile` later follows the symlink target outside the sandbox.
# Vulnerable Code
File: internal/providers/acp/tool_bridge.go
Method: resolvePath
Why: The code uses `real, err := filepath.EvalSymlinks(cleaned)` and falls back to `real = cleaned` on error. `writeFile()` then calls `os.WriteFile(resolved, ...)`, allowing a dangling symlink alias inside the workspace to redirect writes to an external file.
# Reproduction
1. Run a vulnerable GoClaw ACP ToolBridge deployment on version `3.13.3-beta.3` and create a dangling symlink inside the ACP workspace that points to a file outside the workspace.
2. From an ACP-backed agent session, invoke `fs/writeTextFile` against the symlink path.
3. Observe that GoClaw writes to the external target file even though direct traversal outside the workspace is blocked.
# Impact
- ACP-backed agents can modify files outside the configured workspace boundary.
- This breaks workspace isolation and can tamper with neighboring workspace data, scripts, temporary files, and other writable host resources. |
|---|
| 来源 | ⚠️ https://github.com/nextlevelbuilder/goclaw/issues/1201 |
|---|
| 用户 | Eric-b (UID 96354) |
|---|
| 提交 | 2026-06-11 09時10分 (1 月前) |
|---|
| 管理 | 2026-07-13 19時24分 (1 month later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 378128 [nextlevelbuilder GoClaw 3.13.3-beta.3 ACP ToolBridge Workspace tool_bridge.go writeFile 目录遍历] |
|---|
| 积分 | 20 |
|---|