# Unrestricted Upload of File with Dangerous Type (CWE-434)

The product allows the upload of files without properly validating the file type, which can lead to execution of malicious code.

**Stack:** Python

- Prevalence: Élevée Fréquemment exploitée
- Impact: Élevé 3 règles de sévérité élevée
- Prevention: Documentée 3 exemples de correctifs

**OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1

## Description

When users can upload files without restriction, attackers may upload executable files, scripts, or other dangerous content that can be executed by the server or other users.

## Prevention

Stratégies de prévention pour Unrestricted File Upload basées sur 1 règles de détection Shoulder.

### Python

Validate file extension, MIME type, and size; use secure_filename() for paths

## Warning Signs

- [HIGH] file uploads without proper validation of file type, size, or content

## Consequences

- Exécuter du code non autorisé
- Lecture des données de l'application
- Modification des données de l'application

## Mitigations

- Validez les types de fichiers côté serveur, et pas uniquement par l'extension
- Stockez les fichiers téléversés en dehors de la racine web
- Utilisez une liste d'autorisation pour les types de fichiers permis
- Renommez les fichiers téléversés pour empêcher leur exécution

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Python (1 rules)

- **Insecure File Upload** [HIGH]: Detects file uploads without proper validation of file type, size, or content.
Malicious uploads can lead to code execution, path traversal, or denial of service.
Always validate file extensions, MIME types, content, and size.
  - Remediation: Validate file extension, MIME type, and size; use secure_filename() for the filename.

```python
from flask import request, jsonify
from werkzeug.utils import secure_filename
import magic

ALLOWED = {'png', 'jpg', 'pdf'}

@app.route('/upload', methods=['POST'])
def upload():
    file = request.files['file']
    ext = file.filename.rsplit('.', 1)[-1].lower()
    if ext not in ALLOWED:
        return jsonify({'error': 'Invalid type'}), 400

    filename = secure_filename(file.filename)
    file.save(f'uploads/{filename}')
    return jsonify({'filename': filename})
```

Learn more: https://shoulder.dev/learn/python/cwe-434/insecure-file-upload