# Unrestricted Upload of File with Dangerous Type (CWE-434)

The product allows the upload of files without properly validating the file type, which can lead to execution of malicious code.

**Stack:** Python

- Prevalence: Alta Frecuentemente explotada
- Impact: Alto 3 reglas de severidad alta
- Prevention: Documentada 3 ejemplos de corrección

**OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1

## Description

When users can upload files without restriction, attackers may upload executable files, scripts, or other dangerous content that can be executed by the server or other users.

## Prevention

Estrategias de prevención para Unrestricted File Upload basadas en 1 reglas de detección de Shoulder.

### Python

Validate file extension, MIME type, and size; use secure_filename() for paths

## Warning Signs

- [HIGH] file uploads without proper validation of file type, size, or content

## Consequences

- Ejecutar código no autorizado
- Leer datos de la aplicación
- Modificar datos de la aplicación

## Mitigations

- Valida los tipos de archivo en el servidor, no solo por la extensión
- Almacena los archivos subidos fuera de la raíz web
- Usa una lista de permitidos para los tipos de archivo aceptados
- Renombra los archivos subidos para evitar su ejecución

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Python (1 rules)

- **Insecure File Upload** [HIGH]: Detects file uploads without proper validation of file type, size, or content.
Malicious uploads can lead to code execution, path traversal, or denial of service.
Always validate file extensions, MIME types, content, and size.
  - Remediation: Validate file extension, MIME type, and size; use secure_filename() for the filename.

```python
from flask import request, jsonify
from werkzeug.utils import secure_filename
import magic

ALLOWED = {'png', 'jpg', 'pdf'}

@app.route('/upload', methods=['POST'])
def upload():
    file = request.files['file']
    ext = file.filename.rsplit('.', 1)[-1].lower()
    if ext not in ALLOWED:
        return jsonify({'error': 'Invalid type'}), 400

    filename = secure_filename(file.filename)
    file.save(f'uploads/{filename}')
    return jsonify({'filename': filename})
```

Learn more: https://shoulder.dev/learn/python/cwe-434/insecure-file-upload