| 标题 | princezuda safestclaw 4.2.4 Incomplete List of Disallowed Inputs (CWE-184) |
|---|
| 描述 | # Technical Details
A shell allowlist bypass exists in the `ShellAction._validate_command()` method in `src/safestclaw/actions/shell.py` of safestclaw.
The application tokenizes the user-supplied command with `shlex.split()` and validates only the basename of `args[0]`. Because `env` is in `DEFAULT_ALLOWED`, a command such as `env bash -c id` passes validation even though `bash` is not allowlisted. The code never inspects or re-binds policy to the effective inner executable, so `ShellAction.execute()` passes the full attacker-controlled argv to `asyncio.create_subprocess_exec(*args)`.
# Vulnerable Code
File: src/safestclaw/actions/shell.py
Method: _validate_command()
Why: The method validates only `Path(args[0]).name` against the allowlist, so `env bash -c id` is approved based on `env` alone. The effective inner executable (`bash`) is never checked.
# Reproduction
1. Start the SafeClaw web server on the 4.2.4 release.
2. Send `POST /api/message {"text":"shell env bash -c id"}` to the built-in web interface.
3. Observe the response returns `uid=0(root) gid=0(root) groups=0(root)`.
4. Send the control command `POST /api/message {"text":"shell bash -c id"}`.
5. Observe the control returns `Command blocked: Command not allowed: bash`.
# Impact
- Bypasses the built-in shell executable allowlist.
- Attackers can execute denied interpreters by wrapping them with `env`.
- Code runs with SafeClaw process privileges, granting access to files, environment variables, and network resources. |
|---|
| 来源 | ⚠️ https://github.com/princezuda/safestclaw/issues/59 |
|---|
| 用户 | Eric-x (UID 94869) |
|---|
| 提交 | 2026-06-12 11時52分 (1 月前) |
|---|
| 管理 | 2026-07-17 18時13分 (1 month later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 379845 [princezuda SafestClaw 直到 4.2.4 Built-in Web Interface shell.py ShellAction._validate_command 权限提升] |
|---|
| 积分 | 20 |
|---|