AstrBot Project Arbitrary File Read Vulnerability

An arbitrary file read vulnerability has been identified in AstrBot Project version 3.5.22. The issue arises in the `_encode_image_bs64` function within `entities.py`, where the function opens images based on user-specified paths in the request body. This is done without validating the legitimacy of the image paths, allowing attackers to craft malicious URLs that can read any file on the server. The vulnerability leads to unauthorized access to sensitive data.

Impact

Exploitation of this vulnerability allows for arbitrary file read, potentially leading to unauthorized disclosure of sensitive information.

Reproduction

To reproduce this vulnerability, first install Python version 3.10 or later, then download the AstrBot Project source code from GitHub and install the necessary dependencies. After running the project, which should display a message indicating that the WebUI is active, create a test file named `secret.txt` on the C drive containing the text 'congratulations! This is a test!'. Once the file is prepared, add a model service provider and open the chat page. Send an arbitrary image while capturing the request's cURL with the developer tools. This cURL will include the `Authorization` header and the `conversation_id` needed for the exploit. Next, send a POST request to `http://localhost:6185/chat/send`, using the `Authorization` token and `conversation_id` from the captured cURL, and set the `image_url` to the absolute path of the file to be accessed. After the request is processed, the response will be stored in a SQLite database. To verify the exploitation, send a GET request to `http://localhost:6185/api/conversation/list` to retrieve the `conversation_id` and `user_id` associated with the bot's response. Finally, use this information to send a GET request to `http://localhost:6185/api/chat/get_conversation`, where the `image_url` field can be populated with a base64 encoded string of the target file, completing the exploitation process.