File size: 849 Bytes
b9770f5 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | # PoC: DirectoryReader Path Traversal — Arbitrary File Read
**Vulnerability:** `torch/package/_directory_reader.py:35-48` — All three methods (`get_record()`, `get_storage_from_record()`, `has_record()`) construct file paths by concatenating the base directory with unsanitized user-supplied names. Path traversal via `../` sequences reads arbitrary files from the filesystem.
## Files
- `poc_dirreader_traversal.py` — Full PoC (path traversal + filesystem probing + realistic scenario)
## Quick Start
```bash
pip install torch
python poc_dirreader_traversal.py
```
## Expected Output
- `get_record("../../../../etc/passwd")` reads /etc/passwd (3454 bytes, 60 lines)
- `has_record()` probes filesystem for sensitive files (SSH keys, /proc/self/environ, etc.)
- Realistic malicious package scenario reads /etc/passwd via DirectoryReader
|