# 漏洞总结:nextlevelbuilder/goclaw 认证绕过与默认允许权限漏洞 ## 漏洞概述 该漏洞是一个由三个部分组成的漏洞链(Issue #866),涉及认证绕过和基于角色的访问控制(RBAC)中的默认允许策略。攻击者可以利用无效令牌或无配对连接,以未认证用户的身份执行敏感操作。 ## 影响范围 - **受影响组件**:`internal/gateway/router.go` 和 `internal/permissions/policy.go` - **受影响功能**: - 心跳设置 (`heartbeat.set`) - 心跳切换 (`heartbeat.toggle`) - 心跳检查列表设置 (`heartbeat.checklist.set`) - 日志尾部 (`logs.tail`) - 其他未明确列出的方法 ## 修复方案 1. **路由路径修复**:当路径4回退时不再授予 `RoleViewer` 权限,无效令牌或无配对连接将返回 `UNAUTHORIZED` 错误。 2. **策略引擎修复**:将策略引擎从 `default-permit` 改为 `default-deny`,所有方法默认拒绝,除非明确允许。 3. **管理员列表更新**:更新 `adminAllowlist` 以包含需要管理员权限的方法。 ## POC代码 ### 脚本1:repro-issue-866.mjs ```javascript // 修复前 === Step 1 - connect with invalid token === {"type":"res","ok":true,"payload":{"role":"viewer","tenant_slug":"master",...}} [VULN] #1 confirmed: invalid token - connect.ok with roleviewer === Step 2 - heartbeat.set (mutation) === {"type":"res","ok":false,"error":{"code":"INVALID_REQUEST","message":"invalid agentId"}} [VULN] #2 confirmed: RBAC let it through, only validation rejected (INVALID_REQUEST) === Step 3 - logs.tail (exfil) === {"type":"log","ok":true,"payload":{"status":"tailling"}} [event] log {"level":"info","msg":"..."} - Live server log streaming to attacker [VULN] #3 confirmed: viewer started logs.tail stream (exfil) === Step 4 - heartbeat.checklist.set (mutation) === [VULN] #4 confirmed: RBAC let it through, validation only (INVALID_REQUEST) // 修复后 === Step 1 - connect with invalid token === {"type":"res","ok":false,"error":{"code":"UNAUTHORIZED","message":"Permission denied: valid token or ..."}} === Step 2 - heartbeat.set (mutation) === {"type":"res","ok":false,"error":{"code":"UNAUTHORIZED","message":"first request must be 'connect'"}} [Safe] heartbeat.set blocked by RBAC: UNAUTHORIZED === Step 3 - logs.tail (exfil) === {"type":"res","ok":false,"error":{"code":"UNAUTHORIZED","message":"first request must be 'connect'"}} [Safe] logs.tail blocked by RBAC: UNAUTHORIZED === Step 4 - heartbeat.checklist.set (mutation) === [Safe] heartbeat.checklist.set blocked by RBAC: UNAUTHORIZED ``` ### 脚本2:repro_approvals_misclass.go ```go // 修复前 METHOD ACTUAL EXPECTED STATUS NOTE exec.approval.list viewer operator BUG Listed in isReadMethod - viewers must be able exec.approval.approve operator operator OK Listed in writeExact - mutation, operators+admin exec.approval.deny operator operator OK Listed in writeExact - mutation, operators+admin [BEFORE-FIX] 1/3 methods misclassified - prefix fallback is shadowing isReadMethod exit status 1 // 修复后 METHOD ACTUAL EXPECTED STATUS NOTE exec.approval.list viewer viewer OK Listed in isReadMethod - viewers must be able exec.approval.approve operator operator OK Listed in writeExact - mutation, operators+admin exec.approval.deny operator operator OK Listed in writeExact - mutation, operators+admin [AFTER-FIX] All 3 methods classified correctly exit status 0 ```