Sinaptik AI PandasAI Path Traversal Vulnerability in SQL Query Sanitizer

A path traversal vulnerability has been identified in Sinaptik AI PandasAI versions through 3.0.0. The issue arises in the SQL query safety validation function, is_sql_query_safe, located in pandasai/helpers/sql_sanitizer.py. This function is intended to prevent malicious SQL execution by using a keyword blocklist, but it fails to block certain DuckDB table functions that can read arbitrary files from the filesystem. As a result, an attacker can craft a SELECT query that bypasses the safety checks and exfiltrates sensitive files, such as /etc/passwd or application-specific .env files containing API keys or other secrets. The vulnerability can be exploited remotely, without any authentication.

Impact

Exploitation of this vulnerability leads to arbitrary file read on the server, allowing access to sensitive system files, application secrets, and potentially SSH private keys. If the DuckDB httpfs extension is available, this could also enable server-side request forgery (SSRF) attacks.

Reproduction

The vulnerability can be reproduced by sending a SQL query that uses the DuckDB read_csv_auto() function to read a file like /etc/passwd. This query bypasses the is_sql_query_safe() safety check, which only blocks certain keywords but not the file-reading functions. After executing the query, the contents of the passwd file are returned, demonstrating the arbitrary file read capability.