OpenClaude Logic Flaw in Bash Permission Handling Allows Path Traversal

A logic flaw has been identified in OpenClaude versions prior to 0.5.1, specifically within the 'bashToolHasPermission()' function in 'src/tools/BashTool/bashPermissions.ts'. When the sandbox's auto-allow feature is enabled and no explicit deny rule is set, the function prematurely returns an 'allow' result. This occurs before the path constraint filter can be applied, enabling commands with path traversal sequences to completely bypass directory restrictions. As a result, users can access arbitrary files outside the sandbox boundary, such as '/etc/passwd' and '/etc/shadow', or write to any path, depending on operating system permissions.

Impact

Exploitation of this vulnerability allows users to read sensitive files outside the sandbox, write to arbitrary paths, and completely bypass the intended filesystem isolation of the sandbox environment.

Reproduction

To reproduce this vulnerability, first enable sandbox mode and the auto-allow feature. Ensure that no explicit deny rules are in place. Then, submit a bash command that includes a path traversal payload, such as 'cat ../../../../../etc/passwd'. The command will be allowed without triggering the necessary path constraint checks, demonstrating the vulnerability.

Remediation

Users should update to OpenClaude version 0.5.1 or later, where this vulnerability has been patched.