Summary
The /debug/cli endpoint in src/routes/debug.ts (lines 131-134) passes the user-supplied cmd query parameter directly to sandbox.startProcess() without sanitization.
const cmd = c.req.query('cmd') || 'openclaw --version';
const result = await sandbox.startProcess(cmd);While this endpoint is behind authentication middleware, any authenticated user can execute arbitrary commands inside the container.
Impact
Severity: Critical — Arbitrary command execution in the container. An authenticated user could:
- Read/modify container files (config, secrets, workspace data)
- Exfiltrate environment variables including API keys
- Modify the running OpenClaw process or its configuration
Recommendation
Either:
- Remove the endpoint entirely (it's a debug tool)
- Restrict to an allowlist of safe commands (e.g.,
openclaw --version, openclaw doctor)
- Add strict input validation to prevent shell metacharacters
Found during security review for #74 / PR #298.
Summary
The
/debug/cliendpoint insrc/routes/debug.ts(lines 131-134) passes the user-suppliedcmdquery parameter directly tosandbox.startProcess()without sanitization.While this endpoint is behind authentication middleware, any authenticated user can execute arbitrary commands inside the container.
Impact
Severity: Critical — Arbitrary command execution in the container. An authenticated user could:
Recommendation
Either:
openclaw --version,openclaw doctor)Found during security review for #74 / PR #298.