| タイトル | Sinaptik AI PandasAI <= 3.0.0 Path Traversal (CWE-22) |
|---|
| 説明 | # Technical Details
An Arbitrary File Read vulnerability exists in the SQL safety validator `pandasai/helpers/sql_sanitizer.py` of Sinaptik AI PandasAI.
The is_sql_query_safe() function uses a keyword blocklist to prevent malicious SQL but fails to block DuckDB-specific table functions (read_csv_auto, read_parquet, read_json, read_text). An attacker can craft a SELECT query that passes all safety checks while using these functions to read arbitrary files: SELECT * FROM read_csv_auto('/etc/passwd'). Additionally, ViewDatasetLoader.execute_local_query() skips the safety check entirely for local source types.
# Vulnerable Code
File: pandasai/helpers/sql_sanitizer.py (lines 40-108)
Method: is_sql_query_safe()
Why: Blocklist only covers INSERT/UPDATE/DELETE/DROP etc. but not read_csv_auto, read_parquet, read_json, read_text. Additionally, ViewDatasetLoader.execute_local_query() (view_loader.py lines 80-87) executes queries without any safety check.
# Reproduction
1. Application exposes PandasAI Agent.chat() or SQL execution via LocalDatasetLoader.
2. Send: SELECT * FROM read_csv_auto('/etc/passwd', header=False, sep=':')
3. Standard DROP/DELETE queries are blocked (HTTP 403) but read_csv_auto passes and returns /etc/passwd contents.
# Impact
- Arbitrary local file read (/etc/passwd, .env files, SSH keys).
- Exfiltrate API keys, database credentials, application secrets.
- Potential SSRF if DuckDB httpfs extension is available. |
|---|
| ソース | ⚠️ https://gist.github.com/YLChen-007/0ea2685789929bdb6363f5aebb7cba9a |
|---|
| ユーザー | Eric-b (UID 96354) |
|---|
| 送信 | 2026年03月12日 02:56 (18 日 ago) |
|---|
| モデレーション | 2026年03月27日 14:48 (15 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 353884 [Sinaptik AI PandasAI 迄 3.0.0 sql_sanitizer.py is_sql_query_safe ディレクトリトラバーサル] |
|---|
| ポイント | 20 |
|---|