| Titel | Sinaptik AI PandasAI <= 3.0.0 Path Traversal (CWE-22) |
|---|
| Beschreibung | # Technical Details
An Arbitrary File Read vulnerability exists in the SQL safety validator `pandasai/helpers/sql_sanitizer.py` of Sinaptik AI PandasAI.
The is_sql_query_safe() function uses a keyword blocklist to prevent malicious SQL but fails to block DuckDB-specific table functions (read_csv_auto, read_parquet, read_json, read_text). An attacker can craft a SELECT query that passes all safety checks while using these functions to read arbitrary files: SELECT * FROM read_csv_auto('/etc/passwd'). Additionally, ViewDatasetLoader.execute_local_query() skips the safety check entirely for local source types.
# Vulnerable Code
File: pandasai/helpers/sql_sanitizer.py (lines 40-108)
Method: is_sql_query_safe()
Why: Blocklist only covers INSERT/UPDATE/DELETE/DROP etc. but not read_csv_auto, read_parquet, read_json, read_text. Additionally, ViewDatasetLoader.execute_local_query() (view_loader.py lines 80-87) executes queries without any safety check.
# Reproduction
1. Application exposes PandasAI Agent.chat() or SQL execution via LocalDatasetLoader.
2. Send: SELECT * FROM read_csv_auto('/etc/passwd', header=False, sep=':')
3. Standard DROP/DELETE queries are blocked (HTTP 403) but read_csv_auto passes and returns /etc/passwd contents.
# Impact
- Arbitrary local file read (/etc/passwd, .env files, SSH keys).
- Exfiltrate API keys, database credentials, application secrets.
- Potential SSRF if DuckDB httpfs extension is available. |
|---|
| Quelle | ⚠️ https://gist.github.com/YLChen-007/0ea2685789929bdb6363f5aebb7cba9a |
|---|
| Benutzer | Eric-b (UID 96354) |
|---|
| Einreichung | 12.03.2026 02:56 (vor 19 Tagen) |
|---|
| Moderieren | 27.03.2026 14:48 (15 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 353884 [Sinaptik AI PandasAI bis 3.0.0 sql_sanitizer.py is_sql_query_safe Directory Traversal] |
|---|
| Punkte | 20 |
|---|