FastApiAdmin Unrestricted File Upload Vulnerability Leading to Remote Code Execution

A vulnerability allowing unrestricted file uploads has been identified in FastApiAdmin versions through 2.2.0. This issue resides in the Scheduled Task API, specifically within the upload_controller function of the file controller.py. The vulnerability arises because the upload endpoint trusts the Content-Type header to determine allowed file extensions, without proper validation or normalization of file paths. As a result, authenticated users with the module_common:file:upload permission can upload arbitrary files to the server. When this vulnerability is combined with the scheduled task APIs, it can lead to remote code execution.

Impact

Exploitation of this vulnerability allows authenticated users to upload malicious files to the server, bypassing extension checks. These files can be executed remotely, leading to unauthorized code execution on the server.

Reproduction

To reproduce this vulnerability, authenticate as a user with the 'module_common:file:upload' permission. Then, upload a malicious Python script disguised as an SVG image through the '/api/v1/common/file/upload' endpoint. After the upload, create a scheduled task that references the uploaded file, appending '.job' to the filename. Finally, trigger the scheduled task using the ID returned during task creation, which will execute the uploaded malicious script.