# Unrestricted Upload of File with Dangerous Type (CWE-434) The product allows the upload of files without properly validating the file type, which can lead to execution of malicious code. **Stack:** Python - Prevalence: 高 頻繁に悪用される - Impact: ハイ 3 件の重大度ハイのルール - Prevention: 文書化済み 3 件の修正例 **OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1 ## Description When users can upload files without restriction, attackers may upload executable files, scripts, or other dangerous content that can be executed by the server or other users. ## Prevention 1 件の Shoulder 検出ルールに基づく Unrestricted File Upload の予防策。 ### Python Validate file extension, MIME type, and size; use secure_filename() for paths ## Warning Signs - [HIGH] file uploads without proper validation of file type, size, or content ## Consequences - 未承認コードの実行 - アプリケーションデータの読み取り - アプリケーションデータの変更 ## Mitigations - ファイルタイプは拡張子だけでなくサーバー側で検証する - アップロードされたファイルは Web ルートの外に保存する - 許可するファイルタイプには許可リストを使用する - アップロードされたファイルはリネームして実行を防ぐ ## Detection - Total rules: 3 - Languages: go, javascript, typescript, python ## Rules by Language ### Python (1 rules) - **Insecure File Upload** [HIGH]: Detects file uploads without proper validation of file type, size, or content. Malicious uploads can lead to code execution, path traversal, or denial of service. Always validate file extensions, MIME types, content, and size. - Remediation: Validate file extension, MIME type, and size; use secure_filename() for the filename. ```python from flask import request, jsonify from werkzeug.utils import secure_filename import magic ALLOWED = {'png', 'jpg', 'pdf'} @app.route('/upload', methods=['POST']) def upload(): file = request.files['file'] ext = file.filename.rsplit('.', 1)[-1].lower() if ext not in ALLOWED: return jsonify({'error': 'Invalid type'}), 400 filename = secure_filename(file.filename) file.save(f'uploads/{filename}') return jsonify({'filename': filename}) ``` Learn more: https://shoulder.dev/learn/python/cwe-434/insecure-file-upload