JeecgBoot SSRF in uploadImgByHttp Endpoint (Pre-Auth)

# [Security] Direct SSRF via uploadImgByHttp Endpoint in jeecgboot_jeecBoot #9555 ## Vulnerability Overview A direct Server-Side Request Forgery (SSRF) vulnerability exists in the `/sys/common/uploadImgByHttp` endpoint of `jeecgboot_jeecBoot`. This vulnerability allows an unauthenticated attacker to force the server to initiate HTTP requests to arbitrary external or internal resources. Since the file type filtering (`SvrFileTypeFilter.checkUploadFileType`) is executed only after the external resource has been fully downloaded, attackers can exploit this flaw to perform internal network scanning, enumerate local services, or steal sensitive cloud metadata credentials. ## Affected Scope * **Affected Versions**: uploadImgByHttp(@RequestBody JSONObject jsonObject, HttpServletRequest request){ String fileUrl = oConvertUtils.getString(jsonObject.get("fileUrl")); String filename = oConvertUtils.getString(jsonObject.get("filename")); String bizPath = oConvertUtils.getString(jsonObject.get("bizPath")); // NO URL VALIDATION HERE! MultipartFile file = HttpFileToMultipartFileUtil.httpFileToMultipartFile(fileUrl, filename); // File type validation happens AFTER download - too late! SvrFileTypeFilter.checkUploadFileType(file, bizPath); // Save file to server if(CommonConstant.UPLOAD_TYPE_LOCAL.equals(uploadType)){ savePath = this.uploadLocal(file,bizPath); } return Result.OK(savePath); } ``` **Utility Forwarding - HttpFileToMultipartFileUtil.java:28-31** ```java public static MultipartFile httpFileToMultipartFile(String fileUrl, String filename) throws Exception { byte[] bytes = downloadImageData(fileUrl); // IMMEDIATE SSRF return convertByteToMultipartFile(bytes, filename); } ``` **The Sink - HttpFileToMultipartFileUtil.java:38-66** ```java private static byte[] downloadImageData(String fileUrl) throws IOException { URL url = new URL(fileUrl); HttpURLConnection connection = (HttpURLConnection)url.openConnection(); connection.setRequestMethod("GET"); connection.setConnectTimeout(5000); connection.setReadTimeout(10000); connection.setRequestProperty("User-Agent", "Mozilla/5.0..."); connection.setRequestProperty("Accept", "image/*"); int responseCode = connection.getResponseCode(); try (InputStream inputStream = connection.getInputStream(); ByteArrayOutputStream outputStream = new ByteArrayOutputStream()) { byte[] buffer = new byte[4096]; int bytesRead; while ((bytesRead = inputStream.read(buffer)) != -1) { outputStream.write(buffer, 0, bytesRead); } return outputStream.toByteArray(); } } ```

Goal Reached Thanks to every supporter — we hit 100%!

JeecgBoot SSRF in uploadImgByHttp Endpoint (Pre-Auth)

More from this source