# Unrestricted File Upload

- ID: javascript-file-upload-validation
- Severity: HIGH
- CWE: Unrestricted File Upload (CWE-434)
- Languages: JavaScript, TypeScript
- Frameworks: express, fastify, nodejs

## Description

Detects multer file upload middleware used without proper fileFilter validation.
Without fileFilter, attackers can upload any file type including executables,
web shells, and other malicious files.

## Detection Message

Multer middleware at {location} lacks fileFilter validation

## Remediation

Add fileFilter to validate uploaded file types:

const upload = multer({
  fileFilter: (req, file, cb) => {
    const allowed = ['image/jpeg', 'image/png'];
    if (allowed.includes(file.mimetype)) {
      cb(null, true);
    } else {
      cb(new Error('Invalid file type'), false);
    }
  }
});

## Documentation

[object Object]

## Related Rules

- **Unsafe File Upload** [HIGH]: 
- **Insecure File Upload** [HIGH]: