CVE-2022-45759: The file upload vulnerability exists in the latest version of SENS · Issue #20 · saysky/SENS

This project has file upload function. The corresponding code for this function is located in com.liuyanzhao.sens.web.controller.admin#upload

@PostMapping(value = "/upload", produces = {"application/json;charset=UTF-8"})
    @ResponseBody
    @SystemLog(description = "上传文件", type = LogTypeEnum.ATTACHMENT)
    public Map<String, Object> upload(@RequestParam("file") MultipartFile file,
                                      HttpServletRequest request) {
        return uploadAttachment(file, request);
}

The Upload method calls the uploadAttachment() method.

After audit, we can find that the code does not restrict the name of the file and the path of the final storage. The path of the final file is “/upload/202/11/+filename”, so there is a file upload attack.
Use the website provided by the project author to demonstrate the vulnerability.
Changing the name of the file to be uploaded “… /… /ind.html” to attack.

The traversed file was successfully accessed.

Solution: Add a filtering mechanism.