Unrestricted Upload of File with Dangerous Type (CWE-434)

[NinjaGPT]

Summary

In the latest version 6.0.0, the endpoint /api-user/users/file-anon (file-center service ) does not perform any security processing on uploaded files, allowing attackers to upload malicious code to the S3 server. Common attack methods include uploading HTML or PDF files containing malicious JavaScript code to launch XSS or phishing attacks against users.

---

Details

• zlt-business/file-center/src/main/java/com/central/file/controller/FileController.java

  @PostMapping("/files-anon")
  public FileInfo upload(@RequestParam("file") MultipartFile file) throws Exception {
      return fileService.upload(file);  // Tainted input flows to service
  }

• src/main/java/com/central/file/service/impl/AbstractIFileService.java

    public FileInfo upload(MultipartFile file) {
        FileInfo fileInfo = FileUtil.getFileInfo(file);
        if (!fileInfo.getName().contains(FILE_SPLIT)) {
            throw new IllegalArgumentException("缺少后缀名");
        }
        ObjectInfo objectInfo = uploadFile(file);
        fileInfo.setPath(objectInfo.getObjectPath());
        fileInfo.setUrl(objectInfo.getObjectUrl());
        // 设置文件来源
        fileInfo.setSource(fileType());
        // 将文件信息保存到数据库
        baseMapper.insert(fileInfo);

        return fileInfo;
    }

• src/main/java/com/central/file/service/impl/S3Service.java

    protected ObjectInfo uploadFile(MultipartFile file) {
        return s3Template.upload(file);
    }

• src/main/java/com/central/oss/template/S3Template.java

    private ObjectInfo upload(String bucketName, String objectName, InputStream is, int size, String contentType) {
        ObjectMetadata objectMetadata = new ObjectMetadata();
        objectMetadata.setContentLength(size);
        objectMetadata.setContentType(contentType);
        PutObjectRequest putObjectRequest = new PutObjectRequest(
                bucketName, objectName, is, objectMetadata);
        putObjectRequest.getRequestClientOptions().setReadLimit(size + 1);
        amazonS3.putObject(putObjectRequest);

        ObjectInfo obj = new ObjectInfo();
        obj.setObjectPath(bucketName + PATH_SPLIT + objectName);
        obj.setObjectUrl(fileProperties.getS3().getEndpoint() + PATH_SPLIT + obj.getObjectPath());
        return obj;
    }

Complete Taint Flow Diagram

  [User Input] → [Controller] → [Service] → [Utility] → [Storage] → [File System]
       ↓              ↓            ↓           ↓            ↓            ↓
  MultipartFile → upload() → getFileInfo() → S3Template → Object Key → File Write
       ↓              ↓            ↓           ↓            ↓            ↓
   filename      file param   tainted name  direct use   no sanitize  RCE/XSS

---

POC

• Upload HTML file

  # Upload HTML file with malicious JavaScript code (XSS payload or phishing page)
  curl -X POST http://localhost:9900/api-user/users/files-anon \
    -F "file=@xss.html" \
    -H "Content-Type: image/gif" \
    -v

  # Response will contain file URL for access
  # Access: http://target/uploaded/path/xss.html