fix(security): detect obfuscated commands that bypass allowlist filters (#24287)

* security(exec): add obfuscated command detector * test(exec): cover obfuscation detector patterns * security(exec): enforce obfuscation approval on gateway host * security(exec): enforce obfuscation approval on node host * test(exec): prevent obfuscation timeout bypass * chore(changelog): credit obfuscation security fix
2026-05-08 00:01:24 +00:00 · 2026-02-23 02:50:06 -05:00
parent 7568ae52ce
commit 0e28e50b45
6 changed files with 422 additions and 9 deletions
--- a/src/agents/bash-tools.exec-host-gateway.ts
+++ b/src/agents/bash-tools.exec-host-gateway.ts
@@ -14,7 +14,9 @@ import {
  resolveAllowAlwaysPatterns,
  resolveExecApprovals,
 } from "../infra/exec-approvals.js";
+import { detectCommandObfuscation } from "../infra/exec-obfuscation-detect.js";
 import type { SafeBinProfile } from "../infra/exec-safe-bin-policy.js";
+import { logInfo } from "../logger.js";
 import { markBackgrounded, tail } from "./bash-process-registry.js";
 import { requestExecApprovalDecisionForHost } from "./bash-tools.exec-approval-request.js";
 import {
@@ -81,6 +83,11 @@ export async function processGatewayAllowlist(
  const analysisOk = allowlistEval.analysisOk;
  const allowlistSatisfied =
    hostSecurity === "allowlist" && analysisOk ? allowlistEval.allowlistSatisfied : false;
+  const obfuscation = detectCommandObfuscation(params.command);
+  if (obfuscation.detected) {
+    logInfo(`exec: obfuscation detected (gateway): ${obfuscation.reasons.join(", ")}`);
+    params.warnings.push(`⚠️ Obfuscated command detected: ${obfuscation.reasons.join("; ")}`);
+  }
  const recordMatchedAllowlistUse = (resolvedPath?: string) => {
    if (allowlistMatches.length === 0) {
      return;
@@ -105,7 +112,9 @@ export async function processGatewayAllowlist(
      security: hostSecurity,
      analysisOk,
      allowlistSatisfied,
-    }) || requiresHeredocApproval;
+    }) ||
+    requiresHeredocApproval ||
+    obfuscation.detected;
  if (requiresHeredocApproval) {
    params.warnings.push(
      "Warning: heredoc execution requires explicit approval in allowlist mode.",
@@ -154,7 +163,9 @@ export async function processGatewayAllowlist(
      if (decision === "deny") {
        deniedReason = "user-denied";
      } else if (!decision) {
-        if (askFallback === "full") {
+        if (obfuscation.detected) {
+          deniedReason = "approval-timeout (obfuscation-detected)";
+        } else if (askFallback === "full") {
          approvedByAsk = true;
        } else if (askFallback === "allowlist") {
          if (!analysisOk || !allowlistSatisfied) {
--- a/src/agents/bash-tools.exec-host-node.ts
+++ b/src/agents/bash-tools.exec-host-node.ts
@@ -11,7 +11,9 @@ import {
  resolveExecApprovals,
  resolveExecApprovalsFromFile,
 } from "../infra/exec-approvals.js";
+import { detectCommandObfuscation } from "../infra/exec-obfuscation-detect.js";
 import { buildNodeShellCommand } from "../infra/node-shell.js";
+import { logInfo } from "../logger.js";
 import { requestExecApprovalDecisionForHost } from "./bash-tools.exec-approval-request.js";
 import {
  DEFAULT_APPROVAL_TIMEOUT_MS,
@@ -133,12 +135,20 @@ export async function executeNodeHostCommand(
      // Fall back to requiring approval if node approvals cannot be fetched.
    }
  }
-  const requiresAsk = requiresExecApproval({
-    ask: hostAsk,
-    security: hostSecurity,
-    analysisOk,
-    allowlistSatisfied,
-  });
+  const obfuscation = detectCommandObfuscation(params.command);
+  if (obfuscation.detected) {
+    logInfo(
+      `exec: obfuscation detected (node=${nodeQuery ?? "default"}): ${obfuscation.reasons.join(", ")}`,
+    );
+    params.warnings.push(`⚠️ Obfuscated command detected: ${obfuscation.reasons.join("; ")}`);
+  }
+  const requiresAsk =
+    requiresExecApproval({
+      ask: hostAsk,
+      security: hostSecurity,
+      analysisOk,
+      allowlistSatisfied,
+    }) || obfuscation.detected;
  const invokeTimeoutMs = Math.max(
    10_000,
    (typeof params.timeoutSec === "number" ? params.timeoutSec : params.defaultTimeoutSec) * 1000 +
@@ -203,7 +213,9 @@ export async function executeNodeHostCommand(
      if (decision === "deny") {
        deniedReason = "user-denied";
      } else if (!decision) {
-        if (askFallback === "full") {
+        if (obfuscation.detected) {
+          deniedReason = "approval-timeout (obfuscation-detected)";
+        } else if (askFallback === "full") {
          approvedByAsk = true;
          approvalDecision = "allow-once";
        } else if (askFallback === "allowlist") {
--- a/src/agents/bash-tools.exec.approval-id.test.ts
+++ b/src/agents/bash-tools.exec.approval-id.test.ts
@@ -15,8 +15,17 @@ vi.mock("./tools/nodes-utils.js", () => ({
  resolveNodeIdFromList: vi.fn((nodes: Array<{ nodeId: string }>) => nodes[0]?.nodeId),
 }));

+vi.mock("../infra/exec-obfuscation-detect.js", () => ({
+  detectCommandObfuscation: vi.fn(() => ({
+    detected: false,
+    reasons: [],
+    matchedPatterns: [],
+  })),
+}));
+
 let callGatewayTool: typeof import("./tools/gateway.js").callGatewayTool;
 let createExecTool: typeof import("./bash-tools.exec.js").createExecTool;
+let detectCommandObfuscation: typeof import("../infra/exec-obfuscation-detect.js").detectCommandObfuscation;

 describe("exec approvals", () => {
  let previousHome: string | undefined;
@@ -25,6 +34,7 @@ describe("exec approvals", () => {
  beforeAll(async () => {
    ({ callGatewayTool } = await import("./tools/gateway.js"));
    ({ createExecTool } = await import("./bash-tools.exec.js"));
+    ({ detectCommandObfuscation } = await import("../infra/exec-obfuscation-detect.js"));
  });

  beforeEach(async () => {
@@ -182,4 +192,78 @@ describe("exec approvals", () => {
    await approvalSeen;
    expect(calls).toContain("exec.approval.request");
  });
+
+  it("denies node obfuscated command when approval request times out", async () => {
+    vi.mocked(detectCommandObfuscation).mockReturnValue({
+      detected: true,
+      reasons: ["Content piped directly to shell interpreter"],
+      matchedPatterns: ["pipe-to-shell"],
+    });
+
+    const calls: string[] = [];
+    vi.mocked(callGatewayTool).mockImplementation(async (method) => {
+      calls.push(method);
+      if (method === "exec.approval.request") {
+        return {};
+      }
+      if (method === "node.invoke") {
+        return { payload: { success: true, stdout: "should-not-run" } };
+      }
+      return { ok: true };
+    });
+
+    const tool = createExecTool({
+      host: "node",
+      ask: "off",
+      security: "full",
+      approvalRunningNoticeMs: 0,
+    });
+
+    const result = await tool.execute("call5", { command: "echo hi | sh" });
+    expect(result.details.status).toBe("approval-pending");
+    await expect.poll(() => calls.filter((call) => call === "node.invoke").length).toBe(0);
+  });
+
+  it("denies gateway obfuscated command when approval request times out", async () => {
+    if (process.platform === "win32") {
+      return;
+    }
+
+    vi.mocked(detectCommandObfuscation).mockReturnValue({
+      detected: true,
+      reasons: ["Content piped directly to shell interpreter"],
+      matchedPatterns: ["pipe-to-shell"],
+    });
+
+    vi.mocked(callGatewayTool).mockImplementation(async (method) => {
+      if (method === "exec.approval.request") {
+        return {};
+      }
+      return { ok: true };
+    });
+
+    const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-test-obf-"));
+    const markerPath = path.join(tempDir, "ran.txt");
+    const tool = createExecTool({
+      host: "gateway",
+      ask: "off",
+      security: "full",
+      approvalRunningNoticeMs: 0,
+    });
+
+    const result = await tool.execute("call6", {
+      command: `echo touch ${JSON.stringify(markerPath)} | sh`,
+    });
+    expect(result.details.status).toBe("approval-pending");
+    await expect
+      .poll(async () => {
+        try {
+          await fs.access(markerPath);
+          return true;
+        } catch {
+          return false;
+        }
+      })
+      .toBe(false);
+  });
 });