You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

DB-GPT v0.8.0 β€” Unauthenticated arbitrary local file read via RAG document loader β€” huntr PoC

Private/gated proof-of-concept accompanying a huntr vulnerability report. Access is granted only to the huntr triage bot.

Target: eosphoros-ai/DB-GPT @ v0.8.0 (commit a3f21350, latest release).

An unauthenticated POST /knowledge/{space}/document/add with doc_type="DOCUMENT", content="/abs/path.txt" and no doc_file persists the attacker-controlled path verbatim; at sync the file-storage download is skipped (the path does not start with the internal dbgpt-fs schema) and the raw path is handed to KnowledgeFactory.create(...), whose loader does open(self._path, "rb") β€” an unauthenticated arbitrary local file read of any file the server process can read whose extension is a supported document type (txt/csv/md/html/pdf/docx/pptx/doc/xlsx). Deterministic, no LLM.

Severity (honest): Medium

Arbitrary read is capped by extension: the dispatcher (factory.py:145 _select_document_knowledge) rejects any path whose extension is not a supported DocumentType. Files such as .env, .toml, /etc/passwd, id_rsa are NOT readable β€” the PoC proves this as a negative control. The unit read fires at sync; restitution of the bytes via chunk/list depends on an operational embeddings/vector store.

Contents

  • REPORT.md β€” the full vulnerability report.
  • POC.md β€” the proof-of-concept walkthrough.
  • poc/fire_011.py β€” self-contained deterministic PoC. Run network-isolated:
    unshare --user --map-root-user --net python3 poc/fire_011.py
    
    (requires only chardet, used by the genuine TXTKnowledge._load; pip install chardet before --net).
  • poc/vendor/*.py β€” the 11 real v0.8.0 source files the PoC executes (dispatch + loaders). factory.py, txt.py and the 8 sibling loaders are byte-identical to the released PyPI wheel dbgpt-ext==0.8.0; base.py is byte-identical to the audited clone @ tag v0.8.0 β€” sha256 in poc/PROVENANCE.txt, re-checked at runtime.
  • poc/sandbox_011.log β€” a recorded run (all PASS, incl. the two negative controls).

Harmless marker only (a /tmp witness file the harness writes and reads); no network egress; /etc/passwd and credential paths are only used as negative controls (rejected before any read); the target repository is never built or installed.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support