# Unrestricted Upload of File with Dangerous Type (CWE-434)

The product allows the upload of files without properly validating the file type, which can lead to execution of malicious code.

**Stack:** Python

- Prevalence: Hoch Häufig ausgenutzt
- Impact: Hoch 3 Regeln mit hohem Schweregrad
- Prevention: Dokumentiert 3 Fix-Beispiele

**OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1

## Description

When users can upload files without restriction, attackers may upload executable files, scripts, or other dangerous content that can be executed by the server or other users.

## Prevention

Präventionsstrategien für Unrestricted File Upload basierend auf 1 Shoulder-Erkennungsregeln.

### Python

Validate file extension, MIME type, and size; use secure_filename() for paths

## Warning Signs

- [HIGH] file uploads without proper validation of file type, size, or content

## Consequences

- Nicht autorisierten Code ausführen
- Anwendungsdaten lesen
- Anwendungsdaten ändern

## Mitigations

- Dateitypen serverseitig prüfen, nicht nur anhand der Erweiterung
- Hochgeladene Dateien außerhalb des Web-Roots speichern
- Allowlist für erlaubte Dateitypen verwenden
- Hochgeladene Dateien umbenennen, um ihre Ausführung zu verhindern

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Python (1 rules)

- **Insecure File Upload** [HIGH]: Detects file uploads without proper validation of file type, size, or content.
Malicious uploads can lead to code execution, path traversal, or denial of service.
Always validate file extensions, MIME types, content, and size.
  - Remediation: Validate file extension, MIME type, and size; use secure_filename() for the filename.

```python
from flask import request, jsonify
from werkzeug.utils import secure_filename
import magic

ALLOWED = {'png', 'jpg', 'pdf'}

@app.route('/upload', methods=['POST'])
def upload():
    file = request.files['file']
    ext = file.filename.rsplit('.', 1)[-1].lower()
    if ext not in ALLOWED:
        return jsonify({'error': 'Invalid type'}), 400

    filename = secure_filename(file.filename)
    file.save(f'uploads/{filename}')
    return jsonify({'filename': filename})
```

Learn more: https://shoulder.dev/learn/python/cwe-434/insecure-file-upload