🔴 [CRITICAL] CB-001: Unrestricted Shell Execution via exec Tool #10

New issue

Open

opened 2026-02-20 08:50:03 +00:00 by Alpha · 0 comments

Alpha commented

2026-02-20 08:50:03 +00:00

Security Finding from Audit

Parent issue: #1

Severity

CRITICAL 🔴

CVSS Score

9.8

CWE

CWE-78 (OS Command Injection)

Location

cobot/plugins/tools/plugin.py, lines 200–230

Description

The _exec() method passes user-influenced commands directly to subprocess.run() with shell=True. The blocklist is regex-based and trivially bypassable.

Attack Vectors:

Blocklist bypass: su\do, s""udo, /usr/bin/sudo, doas, base64-encoded commands
Environment variable abuse: env=os.environ.copy() exposes API keys, NOSTR_NSEC, etc.
Default blocklist only blocks literal rm -rf / and sudo rm — trivially circumvented

Impact: Complete system compromise. Attacker gains shell access with the agent's user privileges. Can exfiltrate secrets, install backdoors, pivot to other systems.

Recommendation

Replace shell=True with explicit argument lists (shell=False)
Implement a strict allowlist-only approach (no blocklist)
Run tool execution in a sandboxed container (e.g., nsjail, bubblewrap, or Docker)
Sanitize the environment: only pass explicitly approved variables
Require human-in-the-loop confirmation for shell commands

From: Cobot Whitebox Security Audit (February 14, 2026)
Finding ID: CB-001

## Security Finding from Audit > Parent issue: #1 ### Severity **CRITICAL** 🔴 ### CVSS Score 9.8 ### CWE CWE-78 (OS Command Injection) ### Location `cobot/plugins/tools/plugin.py, lines 200–230` --- ### Description The `_exec()` method passes user-influenced commands directly to `subprocess.run()` with `shell=True`. The blocklist is regex-based and trivially bypassable. **Attack Vectors:** - Blocklist bypass: `su\do`, `s""udo`, `/usr/bin/sudo`, `doas`, base64-encoded commands - Environment variable abuse: `env=os.environ.copy()` exposes API keys, NOSTR_NSEC, etc. - Default blocklist only blocks literal `rm -rf /` and `sudo rm` — trivially circumvented **Impact:** Complete system compromise. Attacker gains shell access with the agent's user privileges. Can exfiltrate secrets, install backdoors, pivot to other systems. --- ### Recommendation - Replace `shell=True` with explicit argument lists (`shell=False`) - Implement a strict allowlist-only approach (no blocklist) - Run tool execution in a sandboxed container (e.g., nsjail, bubblewrap, or Docker) - Sanitize the environment: only pass explicitly approved variables - Require human-in-the-loop confirmation for shell commands --- *From: Cobot Whitebox Security Audit (February 14, 2026)* *Finding ID: CB-001*