| 标题 | louisho5 picobot 0.2.0 Improper Link Resolution Before File Access (CWE-59) |
|---|
| 描述 | # Technical Details
An out-of-workspace file read and overwrite vulnerability exists in the `[FilesystemTool.Execute]` and `[SkillManager.CreateSkill/GetSkill]` methods in `internal/agent/tools/filesystem.go` and `internal/agent/tools/skill.go` of picobot.
The application fails to reject final-path hardlink aliases inside the workspace. An admitted user can first use the default-registered `exec` tool to create a hardlink inside the workspace pointing to an external file, then use the rooted `filesystem`, `read_skill`, or `create_skill` tools to read or overwrite that external inode through the in-workspace alias.
# Vulnerable Code
File: `internal/agent/tools/filesystem.go`, `internal/agent/tools/skill.go`, `internal/agent/loop.go`
Method: `FilesystemTool.Execute`, `SkillManager.GetSkill`, `SkillManager.CreateSkill`
Why: The code relies on workspace-rooted file APIs but does not enforce the business rule that the final file object must belong to the workspace rather than being a hardlink alias to an out-of-workspace file.
# Reproduction
1. Create `outside/secret.txt` and a `workspace/` directory in the same parent path.
2. Use the real agent/tool path to execute `ln outside/secret.txt workspace/link.txt` and `ln outside/secret.txt workspace/skills/alias/SKILL.md`.
3. Read the file through `filesystem` or `read_skill`, then overwrite it through `create_skill`, and confirm the external file changes.
# Impact
- Breaks Picobot’s intended workspace boundary for rooted file tools.
- Allows disclosure and modification of files outside the workspace that are accessible to the Picobot process account. |
|---|
| 来源 | ⚠️ https://github.com/louisho5/picobot/issues/40 |
|---|
| 用户 | Eric-e (UID 97581) |
|---|
| 提交 | 2026-06-11 10時43分 (1 月前) |
|---|
| 管理 | 2026-07-13 19時30分 (1 month later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 378131 [louisho5 picobot 直到 0.2.0 Workspace filesystem.go CreateSkill/GetSkill 权限提升] |
|---|
| 积分 | 20 |
|---|