FastApiAdmin Unrestricted File Upload Vulnerability in Scheduled Task API

A vulnerability allowing unrestricted file uploads has been identified in FastApiAdmin versions through 2.2.0. This issue resides in the Scheduled Task API, specifically within the user_avatar_upload_controller function of the file /backend/app/api/v1/module_system/user/controller.py. The vulnerability arises because the file upload mechanism trusts the Content-Type header to determine allowed file extensions, without proper validation or normalization of file paths. As a result, authenticated attackers can exploit this flaw to upload arbitrary files to the server. When this vulnerability is combined with the scheduled task APIs, it can lead to remote code execution.

Impact

Exploitation of this vulnerability allows authenticated users to upload arbitrary files to the server, bypassing extension checks. This uploaded file can be executed on the server, leading to remote code execution, especially when combined with the scheduled task APIs.

Reproduction

To reproduce this vulnerability, authenticate a user account and upload a file through the /api/v1/system/user/current/avatar/upload endpoint. The upload should be a text file disguised as an SVG image, taking advantage of the vulnerability by spoofing the Content-Type header to bypass extension checks. After uploading, the filename returned by the upload response can be used to verify the upload via an unrestricted file download vulnerability.