# Unrestricted Upload of File with Dangerous Type (CWE-434) The product allows the upload of files without properly validating the file type, which can lead to execution of malicious code. - Prevalence: High Frequently exploited - Impact: High 3 high-severity rules - Prevention: Documented 3 fix examples **OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1 ## Description When users can upload files without restriction, attackers may upload executable files, scripts, or other dangerous content that can be executed by the server or other users. ## Prevention Prevention strategies for Unrestricted File Upload based on 3 Shoulder detection rules. ### Go Validate file type, enforce size limits, and use generated filenames for uploads ### Node.js Add fileFilter to multer to validate uploaded file types ### Python Validate file extension, MIME type, and size; use secure_filename() for paths ## Warning Signs - [HIGH] File upload lacks proper validation - [HIGH] Multer middleware at ... lacks fileFilter validation - [HIGH] multer file upload middleware used without proper fileFilter validation - [HIGH] file uploads without proper validation of file type, size, or content ## Consequences - Execute Unauthorized Code - Read Application Data - Modify Application Data ## Mitigations - Validate file types on the server side, not just by extension - Store uploaded files outside the web root - Use allowlist for permitted file types - Rename uploaded files to prevent execution ## Detection - Total rules: 3 - Languages: go, javascript, typescript, python ## Rules by Language ### Go (1 rules) - **Unsafe File Upload** [HIGH]: File upload processed without type validation, size limits, or filename sanitization. - Remediation: Validate file type, limit size, and use a generated filename. ```go r.Body = http.MaxBytesReader(w, r.Body, 10*1024*1024) // 10 MB limit file, header, _ := r.FormFile("file") ext := filepath.Ext(header.Filename) safeFilename := uuid.New().String() + ext dst, _ := os.Create(filepath.Join("/var/uploads", safeFilename)) io.Copy(dst, file) ``` Learn more: https://shoulder.dev/learn/go/cwe-434/unsafe-file-upload ### Javascript (1 rules) - **Unrestricted File Upload** [HIGH]: Detects multer file upload middleware used without proper fileFilter validation. Without fileFilter, attackers can upload any file type including executables, web shells, and other malicious files. - Remediation: Add fileFilter to validate uploaded file types: const upload = multer({ fileFilter: (req, file, cb) => { const allowed = ['image/jpeg', 'image/png']; if (allowed.includes(file.mimetype)) { cb(null, true); } else { cb(new Error('Invalid file type'), false); } } }); ### Typescript (1 rules) - **Unrestricted File Upload** [HIGH]: Detects multer file upload middleware used without proper fileFilter validation. Without fileFilter, attackers can upload any file type including executables, web shells, and other malicious files. - Remediation: Add fileFilter to validate uploaded file types: const upload = multer({ fileFilter: (req, file, cb) => { const allowed = ['image/jpeg', 'image/png']; if (allowed.includes(file.mimetype)) { cb(null, true); } else { cb(new Error('Invalid file type'), false); } } }); ### Python (1 rules) - **Insecure File Upload** [HIGH]: Detects file uploads without proper validation of file type, size, or content. Malicious uploads can lead to code execution, path traversal, or denial of service. Always validate file extensions, MIME types, content, and size. - Remediation: Validate file extension, MIME type, and size; use secure_filename() for the filename. ```python from flask import request, jsonify from werkzeug.utils import secure_filename import magic ALLOWED = {'png', 'jpg', 'pdf'} @app.route('/upload', methods=['POST']) def upload(): file = request.files['file'] ext = file.filename.rsplit('.', 1)[-1].lower() if ext not in ALLOWED: return jsonify({'error': 'Invalid type'}), 400 filename = secure_filename(file.filename) file.save(f'uploads/{filename}') return jsonify({'filename': filename}) ``` Learn more: https://shoulder.dev/learn/python/cwe-434/insecure-file-upload