CVE-2022-29349: XSS Vulnerability · Issue #347 · kekingcn/kkFileView

kkFileview v4.0.0 has an XSS vulnerability, which may lead to the leakage of website cookies.

kkFileView/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java文件59行，url参数用户可控，且没有过滤特殊字符就输出到了页面

The vulnerability code is located at line 59 in kkFileView/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java , The url parameter is user-controllable, and it is output to the page without filtering special characters

    public String onlinePreview(String url, Model model, HttpServletRequest req) {
        String fileUrl;
        try {
            fileUrl = new String(Base64.decodeBase64(url), StandardCharsets.UTF_8);
        } catch (Exception ex) {
            String errorMsg = String.format(BASE64_DECODE_ERROR_MSG, "url");
            return otherFilePreview.notSupportedFile(model, errorMsg);
        }
        if (!allowPreview(fileUrl)) {
            return otherFilePreview.notSupportedFile(model, "该文件不允许预览：" + fileUrl);
        }
        FileAttribute fileAttribute = fileHandlerService.getFileAttribute(fileUrl, req);
        model.addAttribute("file", fileAttribute);
        FilePreview filePreview = previewFactory.get(fileAttribute);
        logger.info("预览文件url：{}，previewType：{}", fileUrl, fileAttribute.getType());
        return filePreview.filePreviewHandle(fileUrl, model, fileAttribute);
    }