GHSA-hhjv-jq77-cmvx: zeptoclaw has Android device shell blocklist bypass via argument permutation
zeptoclaw implements a blocklist to prevent dangerous commands running in android device shell, but this blocklist has several blocked commands with argements in the pattern literal, such as rm -f and rm -rf, this can be simply bypassed by using different orders for these arguments, such as rm -r -f or rm -fr etc.
References
- github.com/advisories/GHSA-hhjv-jq77-cmvx
- github.com/qhkm/zeptoclaw
- github.com/qhkm/zeptoclaw/blob/fe2ef07cfec5bb46b42cdd65f52b9230c03e9270/src/tools/android/actions.rs
- github.com/qhkm/zeptoclaw/commit/68916c3e4f3af107f11940b27854fc7ef517058b
- github.com/qhkm/zeptoclaw/security/advisories/GHSA-hhjv-jq77-cmvx
Code Behaviors & Features
Detect and mitigate GHSA-hhjv-jq77-cmvx with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →