AstrBot Project Directory Traversal Vulnerability in Plugin Upload Handler

A directory traversal vulnerability exists in AstrBot Project version 3.5.22. The issue arises in the 'install_plugin_upload' function of the '/plugin/install-upload' interface, where the filename is parsed from the user-provided request body and directly assigned to 'file_path' without validation. This allows attackers to manipulate the filename to traverse directories and save files to arbitrary locations on the filesystem. The vulnerability is exploited by uploading a file through the interface, with the filename crafted to include traversal sequences, thereby writing the file to a location outside the intended directory.

Impact

Exploitation of this vulnerability allows for arbitrary file writing on the server, potentially leading to further attacks such as code execution or overwriting critical files.

Reproduction

To reproduce this vulnerability, upload a file through the '/plugin/install-upload' interface using a multipart/form-data request. Craft the filename to include directory traversal sequences, such as '../../malicious.txt', which will be saved to the root directory of the project.