# Unrestricted Upload of File with Dangerous Type (CWE-434)

The product allows the upload of files without properly validating the file type, which can lead to execution of malicious code.

**Stack:** JavaScript

- Prevalence: Élevée Fréquemment exploitée
- Impact: Élevé 3 règles de sévérité élevée
- Prevention: Documentée 3 exemples de correctifs

**OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1

## Description

When users can upload files without restriction, attackers may upload executable files, scripts, or other dangerous content that can be executed by the server or other users.

## Prevention

Stratégies de prévention pour Unrestricted File Upload basées sur 1 règles de détection Shoulder.

### JavaScript

Add fileFilter to multer to validate uploaded file types

## Warning Signs

- [HIGH] Multer middleware at ... lacks fileFilter validation
- [HIGH] multer file upload middleware used without proper fileFilter validation

## Consequences

- Exécuter du code non autorisé
- Lecture des données de l'application
- Modification des données de l'application

## Mitigations

- Validez les types de fichiers côté serveur, et pas uniquement par l'extension
- Stockez les fichiers téléversés en dehors de la racine web
- Utilisez une liste d'autorisation pour les types de fichiers permis
- Renommez les fichiers téléversés pour empêcher leur exécution

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Javascript (1 rules)

- **Unrestricted File Upload** [HIGH]: Detects multer file upload middleware used without proper fileFilter validation.
Without fileFilter, attackers can upload any file type including executables,
web shells, and other malicious files.
  - Remediation: Add fileFilter to validate uploaded file types:

const upload = multer({
  fileFilter: (req, file, cb) => {
    const allowed = ['image/jpeg', 'image/png'];
    if (allowed.includes(file.mimetype)) {
      cb(null, true);
    } else {
      cb(new Error('Invalid file type'), false);
    }
  }
});

### Typescript (1 rules)

- **Unrestricted File Upload** [HIGH]: Detects multer file upload middleware used without proper fileFilter validation.
Without fileFilter, attackers can upload any file type including executables,
web shells, and other malicious files.
  - Remediation: Add fileFilter to validate uploaded file types:

const upload = multer({
  fileFilter: (req, file, cb) => {
    const allowed = ['image/jpeg', 'image/png'];
    if (allowed.includes(file.mimetype)) {
      cb(null, true);
    } else {
      cb(new Error('Invalid file type'), false);
    }
  }
});