# Insecure File Upload

- ID: python-insecure-file-upload
- Severity: HIGH
- CWE: Unrestricted File Upload (CWE-434)
- Languages: Python
- Frameworks: django, flask, fastapi

## Description

Detects file uploads without proper validation of file type, size, or content.
Malicious uploads can lead to code execution, path traversal, or denial of service.
Always validate file extensions, MIME types, content, and size.

## Remediation

Validate file extension, MIME type, and size; use secure_filename() for the filename.

```python
from flask import request, jsonify
from werkzeug.utils import secure_filename
import magic

ALLOWED = {'png', 'jpg', 'pdf'}

@app.route('/upload', methods=['POST'])
def upload():
    file = request.files['file']
    ext = file.filename.rsplit('.', 1)[-1].lower()
    if ext not in ALLOWED:
        return jsonify({'error': 'Invalid type'}), 400

    filename = secure_filename(file.filename)
    file.save(f'uploads/{filename}')
    return jsonify({'filename': filename})
```

Learn more: https://shoulder.dev/learn/python/cwe-434/insecure-file-upload

## Documentation

[object Object]

## Related Rules

- **Unsafe File Upload** [HIGH]: 
- **Unrestricted File Upload** [HIGH]: