# Unrestricted Upload of File with Dangerous Type (CWE-434)

The product allows the upload of files without properly validating the file type, which can lead to execution of malicious code.

**Stack:** Python

- Prevalence: 高 频繁被利用
- Impact: 高 3 条严重级别为高的规则
- Prevention: 已记录 3 个修复示例

**OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1

## Description

When users can upload files without restriction, attackers may upload executable files, scripts, or other dangerous content that can be executed by the server or other users.

## Prevention

基于 1 条 Shoulder 检测规则的 Unrestricted File Upload 预防策略。

### Python

Validate file extension, MIME type, and size; use secure_filename() for paths

## Warning Signs

- [HIGH] file uploads without proper validation of file type, size, or content

## Consequences

- 执行未授权代码
- 读取应用程序数据
- 修改应用程序数据

## Mitigations

- 在服务器端验证文件类型,而不仅看扩展名
- 将上传的文件存放在 Web 根目录之外
- 对允许的文件类型使用允许列表
- 对上传的文件进行重命名,以防止其被执行

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Python (1 rules)

- **Insecure File Upload** [HIGH]: Detects file uploads without proper validation of file type, size, or content.
Malicious uploads can lead to code execution, path traversal, or denial of service.
Always validate file extensions, MIME types, content, and size.
  - Remediation: Validate file extension, MIME type, and size; use secure_filename() for the filename.

```python
from flask import request, jsonify
from werkzeug.utils import secure_filename
import magic

ALLOWED = {'png', 'jpg', 'pdf'}

@app.route('/upload', methods=['POST'])
def upload():
    file = request.files['file']
    ext = file.filename.rsplit('.', 1)[-1].lower()
    if ext not in ALLOWED:
        return jsonify({'error': 'Invalid type'}), 400

    filename = secure_filename(file.filename)
    file.save(f'uploads/{filename}')
    return jsonify({'filename': filename})
```

Learn more: https://shoulder.dev/learn/python/cwe-434/insecure-file-upload