# Unrestricted Upload of File with Dangerous Type (CWE-434)

The product allows the upload of files without properly validating the file type, which can lead to execution of malicious code.

**Stack:** Go

- Prevalence: 높음 자주 악용됨
- Impact: 높음 3개의 높은 심각도 규칙
- Prevention: 문서화됨 3개의 수정 예시

**OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1

## Description

When users can upload files without restriction, attackers may upload executable files, scripts, or other dangerous content that can be executed by the server or other users.

## Prevention

1개의 Shoulder 탐지 규칙을 기반으로 한 Unrestricted File Upload 예방 전략.

### Go

Validate file type, enforce size limits, and use generated filenames for uploads

## Warning Signs

- [HIGH] File upload lacks proper validation

## Consequences

- 승인되지 않은 코드 실행
- 애플리케이션 데이터 읽기
- 애플리케이션 데이터 수정

## Mitigations

- 파일 유형은 확장자만이 아니라 서버에서 검증하세요
- 업로드된 파일은 웹 루트 외부에 저장하세요
- 허용되는 파일 유형에 대해 허용 목록을 사용하세요
- 업로드된 파일은 실행을 방지하기 위해 이름을 바꾸세요

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (1 rules)

- **Unsafe File Upload** [HIGH]: File upload processed without type validation, size limits, or filename sanitization.
  - Remediation: Validate file type, limit size, and use a generated filename.

```go
r.Body = http.MaxBytesReader(w, r.Body, 10*1024*1024) // 10 MB limit
file, header, _ := r.FormFile("file")

ext := filepath.Ext(header.Filename)
safeFilename := uuid.New().String() + ext
dst, _ := os.Create(filepath.Join("/var/uploads", safeFilename))
io.Copy(dst, file)
```

Learn more: https://shoulder.dev/learn/go/cwe-434/unsafe-file-upload