Security: Insecure Default Tool Policies, Privilege Escalation, and Windows Command Injection

[SuccessSoham]

Description

A deep security audit of the OpenClaw codebase revealed several vulnerabilities that could lead to Remote Code Execution (RCE), Privilege Escalation, and Command Injection, particularly on Windows systems.

Identified Vulnerabilities

1. Insecure Default Tool Policies (Critical)

   • Issue: The system defaults to allowing all tools (including exec) if no specific policy is defined for a user or group.
   • Impact: Untrusted users on messaging platforms could execute arbitrary commands if the operator hasn't explicitly configured a restrictive policy.

2. Privilege Escalation via Session Directives (High)

   • Issue: Directives like /exec host=gateway were being parsed and persisted in the session state even if the sender was not authorized to execute them.
   • Impact: Unauthorized users could potentially influence the execution environment of subsequent legitimate commands.

3. Command Injection on Windows (High)

   • Issue: The runCommandWithTimeout function used shell: true implicitly for non-executable files on Windows.
   • Impact: Attackers could inject shell metacharacters into command arguments, leading to arbitrary command execution on the host Windows machine.

4. Insecure Trusted Proxy Configuration (Medium)

   • Issue: Using auth.mode = 'trusted-proxy' without defining trustedProxies allows any client to spoof identity headers.
   • Impact: Identity theft and unauthorized access to the Gateway.

Proposed Fixes

The fixes for these issues have been implemented in Pull Request #16320.

• Changed default tool policy to "Deny-All".
• Explicitly clear unauthorized directives during parsing.
• Disabled implicit shell on Windows and used cmd.exe /c specifically for batch files with verbatim arguments.
• Added audit checks for trusted-proxy misconfigurations.

[uchibeke]

A passport-based policy layer (e.g. APort Guardrails) is deny-by-default: only capabilities and limits in the passport are allowed, so it aligns with moving to “deny-all” by default and then granting explicitly.

Would appreciate your review of the code and any feedback. ty

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[TerminalsandCoffee]

All four vulnerabilities reported in this issue appear to be resolved in the current codebase (main as of 2026-03-16). Here's a summary of the current mitigations:

1. Insecure Default Tool Policies — senderIsOwner parameter is now threaded through the tool policy pipeline (command-auth.ts, pi-tools.policy.ts). Authorization checks gate tool access based on sender identity and scope.

2. Privilege Escalation via Session Directives — clearExecInlineDirectives() in get-reply-directives-utils.ts explicitly clears all exec-related fields (hasExecDirective, execHost, execSecurity, execAsk, execNode) for unauthorized senders and unmentioned group messages.

3. Windows Command Injection — shouldSpawnWithShell() in src/process/exec.ts now always returns false. Batch files (.cmd/.bat) are handled via explicit cmd.exe /d /s /c invocation with windowsVerbatimArguments: true and argument escaping that rejects dangerous metacharacters (&|<>^%\r\n) outright rather than attempting to escape them.

4. Insecure Trusted Proxy Configuration — src/security/audit.ts now includes multiple audit findings (CRITICAL/WARN severity) for empty trustedProxies, missing userHeader, and allowRealIpFallback misconfigurations.

PR #16320 appears to be superseded by these changes. This issue may be safe to close.

[BradGroux]

Closing this stale Microsoft-tracker item for cleanup. If this is still an issue or still worth pursuing, please re-open it. We now have dedicated Microsoft maintainers watching this area.