microservices-platform icon indicating copy to clipboard operation
microservices-platform copied to clipboard
verified publisher icon zlt2000

Unrestricted Upload of File with Dangerous Type (CWE-434)

Open NinjaGPT opened this issue 5 months ago • 0 comments

Summary

In the latest version 6.0.0, the endpoint /api-user/users/file-anon (file-center service ) does not perform any security processing on uploaded files, allowing attackers to upload malicious code to the S3 server. Common attack methods include uploading HTML or PDF files containing malicious JavaScript code to launch XSS or phishing attacks against users.

Details

  • zlt-business/file-center/src/main/java/com/central/file/controller/FileController.java
  @PostMapping("/files-anon")
  public FileInfo upload(@RequestParam("file") MultipartFile file) throws Exception {
      return fileService.upload(file);  // Tainted input flows to service
  }
  • src/main/java/com/central/file/service/impl/AbstractIFileService.java
    public FileInfo upload(MultipartFile file) {
        FileInfo fileInfo = FileUtil.getFileInfo(file);
        if (!fileInfo.getName().contains(FILE_SPLIT)) {
            throw new IllegalArgumentException("缺少后缀名");
        }
        ObjectInfo objectInfo = uploadFile(file);
        fileInfo.setPath(objectInfo.getObjectPath());
        fileInfo.setUrl(objectInfo.getObjectUrl());
        // 设置文件来源
        fileInfo.setSource(fileType());
        // 将文件信息保存到数据库
        baseMapper.insert(fileInfo);

        return fileInfo;
    }
  • src/main/java/com/central/file/service/impl/S3Service.java
    protected ObjectInfo uploadFile(MultipartFile file) {
        return s3Template.upload(file);
    }
  • src/main/java/com/central/oss/template/S3Template.java
    private ObjectInfo upload(String bucketName, String objectName, InputStream is, int size, String contentType) {
        ObjectMetadata objectMetadata = new ObjectMetadata();
        objectMetadata.setContentLength(size);
        objectMetadata.setContentType(contentType);
        PutObjectRequest putObjectRequest = new PutObjectRequest(
                bucketName, objectName, is, objectMetadata);
        putObjectRequest.getRequestClientOptions().setReadLimit(size + 1);
        amazonS3.putObject(putObjectRequest);

        ObjectInfo obj = new ObjectInfo();
        obj.setObjectPath(bucketName + PATH_SPLIT + objectName);
        obj.setObjectUrl(fileProperties.getS3().getEndpoint() + PATH_SPLIT + obj.getObjectPath());
        return obj;
    }

Complete Taint Flow Diagram

  [User Input] → [Controller] → [Service] → [Utility] → [Storage] → [File System]
       ↓              ↓            ↓           ↓            ↓            ↓
  MultipartFile → upload() → getFileInfo() → S3Template → Object Key → File Write
       ↓              ↓            ↓           ↓            ↓            ↓
   filename      file param   tainted name  direct use   no sanitize  RCE/XSS

POC

  • Upload HTML file
  # Upload HTML file with malicious JavaScript code (XSS payload or phishing page)
  curl -X POST http://localhost:9900/api-user/users/files-anon \
    -F "[email protected]" \
    -H "Content-Type: image/gif" \
    -v

  # Response will contain file URL for access
  # Access: http://target/uploaded/path/xss.html

NinjaGPT avatar Jul 26 '25 01:07 NinjaGPT