# Unsafe File Upload

- ID: go-unsafe-file-upload
- Severity: HIGH
- CWE: Unrestricted File Upload (CWE-434)
- Languages: Go

## Description

File upload processed without type validation, size limits, or filename sanitization.

## Detection Message

File upload lacks proper validation

## Remediation

Validate file type, limit size, and use a generated filename.

```go
r.Body = http.MaxBytesReader(w, r.Body, 10*1024*1024) // 10 MB limit
file, header, _ := r.FormFile("file")

ext := filepath.Ext(header.Filename)
safeFilename := uuid.New().String() + ext
dst, _ := os.Create(filepath.Join("/var/uploads", safeFilename))
io.Copy(dst, file)
```

Learn more: https://shoulder.dev/learn/go/cwe-434/unsafe-file-upload

## Documentation

[object Object]

## Related Rules

- **Unrestricted File Upload** [HIGH]: 
- **Insecure File Upload** [HIGH]: