| # DB-GPT v0.8.0 β Unauthenticated arbitrary file write (path traversal / absolute path) β huntr PoC |
|
|
| Private/gated proof-of-concept accompanying a huntr vulnerability report. Access is granted only to the |
| huntr triage bot. |
|
|
| **Target:** `eosphoros-ai/DB-GPT` @ **v0.8.0** (commit `a3f21350`, latest release). |
|
|
| An unauthenticated `POST /api/v1/python/file/upload` passes the raw multipart filename straight into |
| `os.path.join(upload_dir, file.filename)` with no sanitization, then `open(file_path,"wb").write(content)`. |
| An absolute-path filename (`/tmp/evil`) or `../` traversal escapes the intended |
| `<work_dir>/python_uploads/<user_id>/` confinement and writes attacker-controlled bytes to an |
| attacker-chosen path β anywhere the DB-GPT service user can write. |
|
|
| ## Contents |
| - `README.md` β this file. |
| - `REPORT.md` / `POC.md` β the vulnerability report and walkthrough (added separately). |
| - `poc/fire_005.py` β self-contained deterministic PoC. Run network-isolated: |
| ``` |
| unshare --user --map-root-user --net python3 poc/fire_005.py |
| ``` |
| - `poc/vendor/python_upload_api.py` β the real v0.8.0 source file the PoC AST-extracts and executes (the |
| `python_file_upload` handler with the untouched `os.path.join` sink), **byte-identical to the released |
| PyPI wheel `dbgpt-app==0.8.0`** β sha256 in `poc/PROVENANCE.txt` |
| (`7eb363ffβ¦`, verified at runtime). |
| - `poc/sandbox_005.log` β a recorded run: Oracle A (absolute-path escape) + Oracle B (`..` traversal) + |
| NEG-CONTROL (benign filename stays confined) all PASS. |
|
|
| Harmless marker only (short text files, cleaned up); no network egress; the target repository is never |
| built or installed. |
|
|