# Insecure File Uploads

**Vulnerable Code:**

```java
javaCopy codePart filePart = request.getPart("file");
filePart.write("/uploads/" + filePart.getSubmittedFileName());
```

**Reason for vulnerability:** No validation or sanitization of the uploaded file.

**Fixed Code:**

```java
javaCopy codePart filePart = request.getPart("file");
String fileName = Paths.get(filePart.getSubmittedFileName()).getFileName().toString();
if (!isValidFile(fileName)) {
    throw new IllegalArgumentException("Invalid file");
}
filePart.write("/uploads/" + fileName);
```

**Reason for fix:** Validate and sanitize the uploaded file name.

***

**Vulnerable Code:**

```python
pythonCopy code@app.route('/upload', methods=['POST'])
def upload():
    file = request.files['file']
    file.save(os.path.join('/uploads', file.filename))
```

**Reason for vulnerability:** No validation or sanitization of the uploaded file.

**Fixed Code:**

```python
pythonCopy code@app.route('/upload', methods=['POST'])
def upload():
    file = request.files['file']
    filename = secure_filename(file.filename)
    if not is_valid_file(filename):
        abort(400)
    file.save(os.path.join('/uploads', filename))
```

**Reason for fix:** Use `secure_filename` and validate the uploaded file name.

***

**Vulnerable Code:**

```php
<?php
if (isset($_FILES["image"])) {
  $target_dir = "uploads/";
  $target_file = $target_dir . basename($_FILES["image"]["name"]);
  move_uploaded_file($_FILES["image"]["tmp_name"], $target_file);   
  echo "Image uploaded successfully!";
}
?>

<form action="" method="post" enctype="multipart/form-data">
  <input type="file" name="image" id="image">
  <input type="submit" value="Upload Image">   
</form>
```

**Reason for vulnerability:** The code doesn't validate the uploaded file type. An attacker could upload executable files that could be executed on the server.

**Fixed Code:**

```php
<?php
if (isset($_FILES["image"])) {
  $target_dir = "uploads/";
  $imageFileType = strtolower(pathinfo($_FILES["image"]["name"],PATHINFO_EXTENSION));

  // Allow certain file formats
  $allowedExtensions = ["jpg", "jpeg", "png", "gif"];
  if (in_array($imageFileType, $allowedExtensions)) {
    $target_file =
```

***

### Java Example

#### Vulnerable Code:

```java
javaCopy@PostMapping("/upload")
public String handleFileUpload(@RequestParam("file") MultipartFile file) {
    String filename = file.getOriginalFilename();
    Path path = Paths.get("/uploads/" + filename);
    Files.write(path, file.getBytes());
    return "File uploaded successfully";
}
```

#### Reason for Vulnerability:

This code allows uploading of any file type to any location, potentially leading to execution of malicious files.

#### Fixed Code:

```java
javaCopy@PostMapping("/upload")
public String handleFileUpload(@RequestParam("file") MultipartFile file) throws IOException {
    String filename = file.getOriginalFilename();
    String extension = FilenameUtils.getExtension(filename);
    
    if (!Arrays.asList("jpg", "png", "pdf").contains(extension.toLowerCase())) {
        throw new IllegalArgumentException("Invalid file type");
    }
    
    String newFilename = UUID.randomUUID().toString() + "." + extension;
    Path path = Paths.get("/safe/uploads/" + newFilename);
    
    Files.write(path, file.getBytes());
    return "File uploaded successfully";
}
```

#### Reason for Fix:

The fixed code validates file types, uses a random filename, and restricts the upload directory to prevent malicious file uploads and overwriting.

***

### PHP Example

#### Vulnerable Code:

```php
phpCopy<?php
if (isset($_FILES['userfile'])) {
    $uploaddir = '/var/www/uploads/';
    $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
    move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile);
    echo "File is valid, and was successfully uploaded.\n";
}
?>
```

#### Reason for Vulnerability:

This code allows uploading of any file type with any name, potentially leading to execution of malicious files.

#### Fixed Code:

```php
phpCopy<?php
if (isset($_FILES['userfile'])) {
    $uploaddir = '/var/www/uploads/';
    $extension = pathinfo($_FILES['userfile']['name'], PATHINFO_EXTENSION);
    $allowed_extensions = array('jpg', 'jpeg', 'png', 'gif');
    
    if (!in_array(strtolower($extension), $allowed_extensions)) {
        die("Invalid file type");
    }
    
    $filename = bin2hex(random_bytes(16)) . '.' . $extension;
    $uploadfile = $uploaddir . $filename;
    
    if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
        echo "File is valid, and was successfully uploaded.\n";
    } else {
        echo "Upload failed.\n";
    }
}
?>
```

#### Reason for Fix:

The fixed code validates file types, uses a random filename, and restricts the upload directory to prevent malicious file uploads.

### Python Example

#### Vulnerable Code:

```python
pythonCopyfrom flask import Flask, request
import os

app = Flask(__name__)

@app.route('/upload', methods=['POST'])
def upload_file():
    if 'file' not in request.files:
        return 'No file part'
    file = request.files['file']
    if file.filename == '':
        return 'No selected file'
    if file:
        file.save(os.path.join('/uploads', file.filename))
        return 'File uploaded successfully'
```

#### Reason for Vulnerability:

This code allows uploading of any file type with any name to a specified directory, potentially leading to security issues.

#### Fixed Code:

```python
pythonCopyfrom flask import Flask, request
import os
from werkzeug.utils import secure_filename

app = Flask(__name__)

UPLOAD_FOLDER = '/safe/uploads'
ALLOWED_EXTENSIONS = {'txt', 'pdf', 'png', 'jpg', 'jpeg', 'gif'}

def allowed_file(filename):
    return '.' in filename and \
           filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS

@app.route('/upload', methods=['POST'])
def upload_file():
    if 'file' not in request.files:
        return 'No file part'
    file = request.files['file']
    if file.filename == '':
        return 'No selected file'
    if file and allowed_file(file.filename):
        filename = secure_filename(file.filename)
        file.save(os.path.join(UPLOAD_FOLDER, filename))
        return 'File uploaded successfully'
    return 'Invalid file type'
```

#### Reason for Fix:

The fixed code validates file types, uses secure\_filename to sanitize filenames, and restricts the upload directory to prevent security issues.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://playbook.sidthoviti.com/devsecops/secure-coding/code-review-examples/insecure-file-uploads.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.