Potential Issue Found: File Upload

[bgeesaman]

I've been doing source code analysis of certain types of public repos for a specific classes of problems, and I found a something in your repo from my research that you may want to take a look at.

Specifically:

laravel-vue-admin/src/Controllers/HandleController.php

Line 53 in d0c7fbf

$path = $file->storeAs($path, $name, $disk);

Laravel's file upload storeAs() function can be vulnerable to an arbitrary file upload flaw if the file name and path arguments are not properly validated and sanitized. This means and attacker can potentially write files to places outside the intended location or even overwrite critical files on the server. Depending on permissions, this may provide a path for remote code execution.

See: https://cheatsheetseries.owasp.org/cheatsheets/Laravel_Cheat_Sheet.html#unrestricted-file-uploads for more details on how to improve validation of file names and paths.

Note: This research has taken some time to complete, so the commit I'm referencing is a few weeks old. You may have already fixed this issue in a later commit. If so, feel free to ignore/close. Just wanted to give you a heads up as a courtesy in case you found it helpful.