TransformerOptimus SuperAGI Arbitrary File Overwrite Vulnerability in File Upload Endpoint

A vulnerability allowing arbitrary file overwrites has been identified in TransformerOptimus SuperAGI version 0.0.14. This issue arises from inadequate sanitization of user-provided filenames in the file upload functionality. The vulnerability is present in the '/api/resources/add/<agent_id>' endpoint within the 'superagi/controllers/resources.py' file. The problem stems from improper handling of directory traversal sequences, which enables attackers to write files outside the designated directory.

Impact

Exploitation of this vulnerability allows attackers to overwrite arbitrary files on the filesystem, potentially leading to unauthorized access or modification of critical system files.

Reproduction

To reproduce this vulnerability, upload a file through the '/api/resources/add/<agent_id>' endpoint, using a filename that includes directory traversal sequences (such as '../../../etc/passwd') appended with a valid file extension. The uploaded file will overwrite the targeted file on the server.

Remediation

Users can update to the latest version of SuperAGI, where this vulnerability has been fixed.