Java-based web applications that accept file uploads must ensure that an adversary cannot upload or transfer malicious files. If a restricted file containing code is executed by the target system, it can result in misuse of privileges. For example, an application that permits HTML files to be uploaded could allow malicious code to be executed - an attacker can submit a valid HTML file with a cross-site-scripting payload that will execute in the absence of an output-escaping routine. For this reason, many applications restrict the type of files that can be uploaded.
It may also be possible to upload files with dangerous extensions such as .exe and .sh which may cause arbitrary code execution on server-side applications.
...