# DB-GPT v0.8.0 — Unauthenticated arbitrary file write (path traversal / absolute path) — huntr PoC Private/gated proof-of-concept accompanying a huntr vulnerability report. Access is granted only to the huntr triage bot. **Target:** `eosphoros-ai/DB-GPT` @ **v0.8.0** (commit `a3f21350`, latest release). An unauthenticated `POST /api/v1/python/file/upload` passes the raw multipart filename straight into `os.path.join(upload_dir, file.filename)` with no sanitization, then `open(file_path,"wb").write(content)`. An absolute-path filename (`/tmp/evil`) or `../` traversal escapes the intended `/python_uploads//` confinement and writes attacker-controlled bytes to an attacker-chosen path — anywhere the DB-GPT service user can write. ## Contents - `README.md` — this file. - `REPORT.md` / `POC.md` — the vulnerability report and walkthrough (added separately). - `poc/fire_005.py` — self-contained deterministic PoC. Run network-isolated: ``` unshare --user --map-root-user --net python3 poc/fire_005.py ``` - `poc/vendor/python_upload_api.py` — the real v0.8.0 source file the PoC AST-extracts and executes (the `python_file_upload` handler with the untouched `os.path.join` sink), **byte-identical to the released PyPI wheel `dbgpt-app==0.8.0`** — sha256 in `poc/PROVENANCE.txt` (`7eb363ff…`, verified at runtime). - `poc/sandbox_005.log` — a recorded run: Oracle A (absolute-path escape) + Oracle B (`..` traversal) + NEG-CONTROL (benign filename stays confined) all PASS. Harmless marker only (short text files, cleaned up); no network egress; the target repository is never built or installed.