Trtnx's picture
add huntr PoC bundle
ca8cc77 verified
|
Raw
History Blame Contribute Delete
1.66 kB
# DB-GPT v0.8.0 β€” Unauthenticated arbitrary file write (path traversal / absolute path) β€” huntr PoC
Private/gated proof-of-concept accompanying a huntr vulnerability report. Access is granted only to the
huntr triage bot.
**Target:** `eosphoros-ai/DB-GPT` @ **v0.8.0** (commit `a3f21350`, latest release).
An unauthenticated `POST /api/v1/python/file/upload` passes the raw multipart filename straight into
`os.path.join(upload_dir, file.filename)` with no sanitization, then `open(file_path,"wb").write(content)`.
An absolute-path filename (`/tmp/evil`) or `../` traversal escapes the intended
`<work_dir>/python_uploads/<user_id>/` confinement and writes attacker-controlled bytes to an
attacker-chosen path β€” anywhere the DB-GPT service user can write.
## Contents
- `README.md` β€” this file.
- `REPORT.md` / `POC.md` β€” the vulnerability report and walkthrough (added separately).
- `poc/fire_005.py` β€” self-contained deterministic PoC. Run network-isolated:
```
unshare --user --map-root-user --net python3 poc/fire_005.py
```
- `poc/vendor/python_upload_api.py` β€” the real v0.8.0 source file the PoC AST-extracts and executes (the
`python_file_upload` handler with the untouched `os.path.join` sink), **byte-identical to the released
PyPI wheel `dbgpt-app==0.8.0`** β€” sha256 in `poc/PROVENANCE.txt`
(`7eb363ff…`, verified at runtime).
- `poc/sandbox_005.log` β€” a recorded run: Oracle A (absolute-path escape) + Oracle B (`..` traversal) +
NEG-CONTROL (benign filename stays confined) all PASS.
Harmless marker only (short text files, cleaned up); no network egress; the target repository is never
built or installed.