There is arbitrary file upload vulnerability

[qytxhjb]

RuoYi-Vue/ruoyi-common/src/main/java/com/ruoyi/common/utils/file/FileUploadUtils.java

Line 111 in c3a727b

assertAllowed(file, allowedExtension);

Only the suffix name of the uploaded file is verified here. Users can forge the requested data body and upload any file, which has potential risks to the server. The simulated sending request is as follows:

Request Header:
Content-Type: multipart/form-data; boundary=-------------------------acebdf13572468 Host: localhost Connection: keep-alive Content-Length: 63135 sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110" Accept: application/json, text/plain, */* sec-ch-ua-mobile: ?0 Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJsb2dpbl91c2VyX2tleSI6ImNhNDQ3N2YyLTM5ZDktNGU3Zi1iNjc3LTU5NDhlZTZmMWFiYSJ9.cFEYvyKY9yBnoeR15Li3s8h9B505SIgpGLwhruV0jZjjkmJjjKPxUJz-5eNxeTbu1epWLFO50fXy23zHvTON0Q User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/user/profile Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Cookie: Admin-Token=eyJhbGciOiJIUzUxMiJ9.eyJsb2dpbl91c2VyX2tleSI6ImNhNDQ3N2YyLTM5ZDktNGU3Zi1iNjc3LTU5NDhlZTZmMWFiYSJ9.cFEYvyKY9yBnoeR15Li3s8h9B505SIgpGLwhruV0jZjjkmJjjKPxUJz-5eNxeTbu1epWLFO50fXy23zHvTON0Q

Request Body:
`---------------------------acebdf13572468
Content-Disposition: form-data; name="avatarfile"; filename="demo.png"
Content-Type: application/zip

<@include C:\Users\admin\Desktop\demo.zip@>
---------------------------acebdf13572468--`

[gitloghub]

你好好看看你在说什么？

[yangzongzhuan]

上传头像最新代码有进行限制，
String avatar = FileUploadUtils.upload(RuoYiConfig.getAvatarPath(), file, MimeTypeUtils.IMAGE_EXTENSION);