Rule Definition
An attacker may be able to upload files of dangerous types and sizes which could allow viruses, worms, and malicious scripts to be uploaded and executed on a server and may also lead to Denial of service attack if not validated. Uploading a .htaccess file can lead to remote code execution and uploading .htm, .html, .swf, or .svg files can lead to persistent cross-site scripting.

Remediation
The following controls should be applied on the server side when uploading files: • Set a maximum file size limit. • Validate file names for specific file extensions using a whitelist. • Allow only one dot in the file name (e.g. reject photo.js.jpg). • Set permissions on the uploads directory to not have any “execute” permission. • Consider using an algorithm to generate unique file names, such as GUIDs. • Prevent file overwriting in case of duplicate names. • Use a virus scanner on the server where you store the uploaded files and set the scan to occur automatically upon upload • When possible, use POST method instead of PUT. Do not use GET for uploads. • If the application allows uploading of compressed files, contents of each compressed file should be checked one by one, and each as a new file. • Log all file uploads on the server side.

Violation Code Sample

<input id="FileInput" runat="server" type="file" />

Then in code-behind class file in ASP.NET application:

FileInput.PostedFile.SaveAs("DestinationPath");

Fixed Code Sample

Many checks to perform...

CWE-434: Unrestricted Upload of File with Dangerous Type: https://cwe.mitre.org/data/definitions/434.html https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload OWASP File Upload Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html