| 标题 | Sinaptik AI PandasAI <= 3.0.0 Path Traversal (CWE-22) |
|---|
| 描述 | # Technical Details
An Arbitrary File Read vulnerability exists in the SQL safety validator `pandasai/helpers/sql_sanitizer.py` of Sinaptik AI PandasAI.
The is_sql_query_safe() function uses a keyword blocklist to prevent malicious SQL but fails to block DuckDB-specific table functions (read_csv_auto, read_parquet, read_json, read_text). An attacker can craft a SELECT query that passes all safety checks while using these functions to read arbitrary files: SELECT * FROM read_csv_auto('/etc/passwd'). Additionally, ViewDatasetLoader.execute_local_query() skips the safety check entirely for local source types.
# Vulnerable Code
File: pandasai/helpers/sql_sanitizer.py (lines 40-108)
Method: is_sql_query_safe()
Why: Blocklist only covers INSERT/UPDATE/DELETE/DROP etc. but not read_csv_auto, read_parquet, read_json, read_text. Additionally, ViewDatasetLoader.execute_local_query() (view_loader.py lines 80-87) executes queries without any safety check.
# Reproduction
1. Application exposes PandasAI Agent.chat() or SQL execution via LocalDatasetLoader.
2. Send: SELECT * FROM read_csv_auto('/etc/passwd', header=False, sep=':')
3. Standard DROP/DELETE queries are blocked (HTTP 403) but read_csv_auto passes and returns /etc/passwd contents.
# Impact
- Arbitrary local file read (/etc/passwd, .env files, SSH keys).
- Exfiltrate API keys, database credentials, application secrets.
- Potential SSRF if DuckDB httpfs extension is available. |
|---|
| 来源 | ⚠️ https://gist.github.com/YLChen-007/0ea2685789929bdb6363f5aebb7cba9a |
|---|
| 用户 | Eric-b (UID 96354) |
|---|
| 提交 | 2026-03-12 02時56分 (18 日前) |
|---|
| 管理 | 2026-03-27 14時48分 (15 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 353884 [Sinaptik AI PandasAI 直到 3.0.0 sql_sanitizer.py is_sql_query_safe 目录遍历] |
|---|
| 积分 | 20 |
|---|