xataio Xata Agent Path Traversal Vulnerability Allowing Arbitrary File Read

A path traversal vulnerability has been identified in xataio Xata Agent versions through 0.3.0. The issue arises in the GET function of 'apps/dbagent/src/app/api/evals/route.ts', where the application fails to properly validate the 'folder' parameter. This lack of validation allows attackers to manipulate the parameter and access arbitrary files, leading to unauthorized information disclosure. The vulnerability is present when the 'EVAL' environment variable is set to 'true'. Exploitation can be achieved by sending a request with a crafted 'folder' parameter that includes path traversal sequences.

Impact

Exploitation of this vulnerability allows for arbitrary file reading, which can lead to unauthorized disclosure of sensitive information.

Reproduction

To reproduce this vulnerability, set the 'EVAL' environment variable to 'true'. Then, send a GET request to the '/api/evals' endpoint with a 'folder' parameter that includes path traversal sequences, targeting a directory that contains sensitive files. The response will include the contents of the accessed files, demonstrating the successful exploitation of the vulnerability.

Remediation

Users are advised to upgrade to xataio Xata Agent version 0.3.1, which addresses this vulnerability by implementing proper validation of the 'folder' parameter. The updated version can be downloaded from the xataio agent GitHub repository.