Improper file extension validation in file upload feature of WSO2 API Manager.
- WSO2 API Manager
WSO2 API Manager Publisher provides certain functionalities that can be used to upload any file type as the API documentation is the expected behaviour. This helps API publishers market their APIs.
Furthermore, only the authenticated users who have the permission to publish an API would be able to upload the file. The uploaded API documentation will also be stored in Registry (Database), and will not be persisted to the file system at any point.
Due to the aforementioned reasons, WSO2 does not consider this as a threat in the context of WSO2 API Manager. This feature has been intentionally provided to allow WSO2 API Manager Publisher users, who have the required permissions, to carry out uploading API documentation of any types.