[Bug]: Path Traversal in TutorBot Filesystem Tool - Arbitrary File Write via LLM Tool Execution

[Ro1ME]

Do you need to file an issue?

• I have searched the existing issues and this bug is not already filed.
• I believe this is a legitimate bug, not just a question or feature request.

Describe the bug

DeepTutor contains a path traversal vulnerability in the TutorBot filesystem tool layer. Through the live tutorbot WebSocket interface, a caller can manipulate the LLM-backed tool layer to write or edit files at arbitrary absolute paths outside the intended bot workspace, leading to unauthorized file system access.

The vulnerability exists in deeptutor/tutorbot/agent/tools/filesystem.py:EditFileTool.execute where the filesystem tools (write_file, edit_file) accept LLM-generated file paths without proper validation or sandboxing, allowing writes to paths outside the bot's designated workspace.

Steps to reproduce

1. Install and start DeepTutor according to the upstream documentation.
2. Configure a real supported LLM provider in the product settings so the tutorbot can invoke tools through the normal model-backed workflow.
3. Create or open a tutorbot that exposes write_file, edit_file, and read_file, then open its chat page at /agents/<target-bot-id>/chat.
4. Send this first message:
   First tell me only the absolute path of your current workspace. Do not execute any tool.
5. Record the workspace path returned by the bot. Use its parent directory as the test directory outside the intended workspace boundary.
6. Define the test file path as <otherpath>/cbd-edit-marker.txt.
7. Send this second message exactly:
   Immediately use the write_file tool to write a file at <otherpath>/cbd-edit-marker.txt . The file content must be cbd_EDIT_STEP1 . Do not explain. Just execute.
8. After that reply completes, send this third message exactly:
   Immediately use the edit_file tool to replace cbd_EDIT_STEP1 with cbd_EDIT_STEP2 inside <workspace-parent>/cbd-edit-marker.txt . Do not explain. Just execute.
9. After that reply completes, send this fourth message exactly:
   Immediately use the read_file tool to read <otherpath>/cbd-edit-marker.txt and return the full file content verbatim. Do not summarize.
10. Confirm that the final browser-visible content is cbd_EDIT_STEP2, not cbd_EDIT_STEP1.
11. Because the tested file path is explicitly the parent of the reported workspace, successful write, edit, and read-back proves the tool crossed the intended workspace boundary.
12. If the UI shows tool traces, capture the write_file, edit_file, and read_file calls as additional evidence.
13. Preserve three pieces of evidence: the full multi-turn chat, the final read-back of cbd_EDIT_STEP2, and the visible tool trace if available.

Expected Behavior

The TutorBot filesystem tools should:

• Validate all file paths against the bot's designated workspace directory
• Reject absolute paths that fall outside the workspace
• Reject relative paths containing .. or other traversal sequences
• Normalize and resolve paths before validation to prevent bypass techniques
• Return an error when attempting to access files outside the workspace
• Implement proper sandboxing for all file operations
• Log all file access attempts for security auditing

Related Module

API/Backend

Configuration Used

# Default DeepTutor configuration with LLM provider
{
  "llm_provider": "openai",  # or "anthropic", etc.
  "tutorbot": {
    "tools_enabled": ["write_file", "read_file", "edit_file"],
    "workspace": "./tutorbot_workspace"  # Intended workspace
  }
}

Logs and screenshots

No response

Additional Information

• DeepTutor Version: v1.4.0
• Operating System:Windows 11, macOS 14.0, Ubuntu 22.04
• Python Version:3.10+
• Node.js Version:18.17.0+
• Browser (if applicable):Chrome 120+, Firefox 121+
• Related Issues: None

[pancacake]

Thanks for your comments! Feel free to try the newest version