Lack of Backend Validation for Uploaded Image Size and Type

[Xiqinger]

Lack proper validation for uploaded image files in the backend.
While there is validation in the frontend component "index.vue," it is crucial to perform server-side validation as well. This vulnerability allows attackers to upload files of any type and size, potentially leading to XSS attacks or resource exhaustion, which can result in DDoS attacks.

Two interfaces are affected:

• 1. "/upload/element" com.yami.shop.admin.controller.FileController.uploadElementFile
• 2. "/upload/element" com.yami.shop.admin.controller.FileController.uploadTinymceEditorImages

It is recommended to implement server-side validation for uploaded image files in String com.yami.shop.service.impl.AttachFileServiceImpl.uploadFile(MultipartFile file) . This includes checking the file size and verifying that the file type is allowed (e.g., image/jpeg, image/png). By implementing these validations in the backend, you can prevent the upload of malicious files, mitigate the risk of XSS attacks, and prevent resource consumption that could lead to DDoS attacks.