| عنوان | AstrBotDevs AstrBot 4.24.2 Path Traversal (CWE-22) |
|---|
| الوصف | # Technical Details
A Path Traversal vulnerability exists in the `post_file` method in `astrbot/dashboard/routes/chat.py` of AstrBot.
The application fails to sanitize the `file.filename` attribute when processing uploaded attachments in the authenticated dashboard API. The attacker-controlled filename is directly concatenated to the attachments directory path using `os.path.join()`. This allows an attacker to supply path traversal segments (e.g., `../`) in the filename to write files to arbitrary writable locations on the filesystem, circumventing the intended upload sandbox.
# Vulnerable Code
File: astrbot/dashboard/routes/chat.py
Method: post_file
Why: The code directly uses the attacker-provided `file.filename` inside `os.path.join(self.attachments_dir, filename)` without employing `secure_filename()` or validating that the resolved absolute path still resides within the bounds of `self.attachments_dir`.
# Reproduction
1. Log into the AstrBot dashboard using valid credentials.
2. Send a multipart `POST` request to the `/api/chat/post_file` endpoint.
3. Supply a crafted `filename` in the file payload containing path traversal characters (e.g., `../../../../../../tmp/malicious.txt`).
4. Verify that the file has been written to the targeted absolute path outside the intended attachments directory.
# Impact
- Arbitrary file write to the underlying server's filesystem.
- Overwriting application configuration or runtime data.
- Potential code execution or privilege escalation if sensitive files or execution paths are overwritten. |
|---|
| المصدر | ⚠️ https://gist.github.com/YLChen-007/217a2e975faf5a5be6d76c63cb3f402e |
|---|
| المستخدم | Eric-a (UID 96353) |
|---|
| ارسال | 07/05/2026 01:33 PM (30 أيام منذ) |
|---|
| الاعتدال | 31/05/2026 09:14 AM (24 days later) |
|---|
| الحالة | مكرر |
|---|
| إدخال VulDB | 364381 [AstrBotDevs AstrBot حتى 4.23.5 File Upload chat.py post_file filename اجتياز الدليل] |
|---|
| النقاط | 0 |
|---|