FastApiAdmin Unrestricted File Upload Vulnerability Leading to Remote Code Execution

A vulnerability allowing unrestricted file uploads has been identified in FastApiAdmin versions through 2.2.0. This issue resides in the Scheduled Task API, specifically within the upload_file_controller function of controller.py. The vulnerability arises because the file upload mechanism trusts the Content-Type header to determine allowed file extensions, without proper validation or normalization of file paths. As a result, authenticated users with the 'module_system:param:upload' permission can exploit this flaw to upload arbitrary files to the server. When this uploaded file is combined with the scheduled task APIs, it can lead to remote code execution.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, which can be leveraged to execute arbitrary code on the server, particularly when the uploaded file is processed by the application's task scheduling system.

Reproduction

To reproduce this vulnerability, authenticate as a user with the 'module_system:param:upload' permission. Then, upload a file through the '/api/v1/common/file/upload' endpoint, ensuring to spoof the Content-Type header to bypass extension checks. After uploading a file, use the application's scheduled task API to trigger the execution of the uploaded file, thereby achieving remote code execution.