Unrestricted Upload of File with Dangerous Type

  func upload(w http.ResponseWriter, r *http.Request) {
-     file, header, _ := r.FormFile("file")
-     defer file.Close()
-     dst, _ := os.Create("/var/www/uploads/" + header.Filename)
+     r.Body = http.MaxBytesReader(w, r.Body, 10*1024*1024)
+     file, header, err := r.FormFile("file")
+     if err != nil {
+         http.Error(w, "Invalid file", 400)
+         return
+     }
+     defer file.Close()
+     ext := filepath.Ext(header.Filename)
+     allowed := map[string]bool{".jpg": true, ".png": true, ".pdf": true}
+     if !allowed[ext] {
+         http.Error(w, "File type not allowed", 400)
+         return
+     }
+     safeFilename := uuid.New().String() + ext
+     dst, _ := os.Create(filepath.Join("/var/uploads", safeFilename))
      defer dst.Close()
      io.Copy(dst, file)
  }
  

- const upload = multer({ dest: 'uploads/' });
+ const upload = multer({
+   dest: 'uploads/',
+   fileFilter: (req, file, cb) => {
+     const allowed = ['image/jpeg', 'image/png', 'image/gif'];
+     if (allowed.includes(file.mimetype)) {
+       cb(null, true);
+     } else {
+       cb(new Error('Invalid file type'), false);
+     }
+   }
+ });
  app.post('/upload', upload.single('file'), handler);
  

- from flask import request
- 
- @app.route('/upload', methods=['POST'])
- def upload():
-     file = request.files['file']
-     file.save(f'uploads/{file.filename}')
-     return {'status': 'uploaded'}
+ from flask import request, jsonify
+ from werkzeug.utils import secure_filename
+ 
+ ALLOWED = {'png', 'jpg', 'pdf'}
+ 
+ @app.route('/upload', methods=['POST'])
+ def upload():
+     file = request.files['file']
+     ext = file.filename.rsplit('.', 1)[-1].lower()
+     if ext not in ALLOWED:
+         return jsonify({'error': 'Invalid type'}), 400
+     filename = secure_filename(file.filename)
+     file.save(f'uploads/{filename}')
+     return jsonify({'filename': filename})