Vulnerable Code:
Copy javaCopy codePart filePart = request.getPart("file");
filePart.write("/uploads/" + filePart.getSubmittedFileName()); Reason for vulnerability: No validation or sanitization of the uploaded file.
Fixed Code:
Copy javaCopy codePart filePart = request.getPart("file");
String fileName = Paths.get(filePart.getSubmittedFileName()).getFileName().toString();
if (!isValidFile(fileName)) {
throw new IllegalArgumentException("Invalid file");
}
filePart.write("/uploads/" + fileName); Reason for fix: Validate and sanitize the uploaded file name.
Vulnerable Code:
Copy pythonCopy code@app.route('/upload', methods=['POST'])
def upload():
file = request.files['file']
file.save(os.path.join('/uploads', file.filename)) Reason for vulnerability: No validation or sanitization of the uploaded file.
Fixed Code:
Copy pythonCopy code@app.route('/upload', methods=['POST'])
def upload():
file = request.files['file']
filename = secure_filename(file.filename)
if not is_valid_file(filename):
abort(400)
file.save(os.path.join('/uploads', filename)) Reason for fix: Use secure_filename and validate the uploaded file name.
Vulnerable Code:
Copy <?php
if (isset($_FILES["image"])) {
$target_dir = "uploads/";
$target_file = $target_dir . basename($_FILES["image"]["name"]);
move_uploaded_file($_FILES["image"]["tmp_name"], $target_file);
echo "Image uploaded successfully!";
}
?>
<form action="" method="post" enctype="multipart/form-data">
<input type="file" name="image" id="image">
<input type="submit" value="Upload Image">
</form> Reason for vulnerability: The code doesn't validate the uploaded file type. An attacker could upload executable files that could be executed on the server.
Fixed Code:
Copy <?php
if (isset($_FILES["image"])) {
$target_dir = "uploads/";
$imageFileType = strtolower(pathinfo($_FILES["image"]["name"],PATHINFO_EXTENSION));
// Allow certain file formats
$allowedExtensions = ["jpg", "jpeg", "png", "gif"];
if (in_array($imageFileType, $allowedExtensions)) {
$target_file = Java Example
Vulnerable Code:
Copy javaCopy@PostMapping("/upload")
public String handleFileUpload(@RequestParam("file") MultipartFile file) {
String filename = file.getOriginalFilename();
Path path = Paths.get("/uploads/" + filename);
Files.write(path, file.getBytes());
return "File uploaded successfully";
} Reason for Vulnerability:
This code allows uploading of any file type to any location, potentially leading to execution of malicious files.
Fixed Code:
Copy javaCopy@PostMapping("/upload")
public String handleFileUpload(@RequestParam("file") MultipartFile file) throws IOException {
String filename = file.getOriginalFilename();
String extension = FilenameUtils.getExtension(filename);
if (!Arrays.asList("jpg", "png", "pdf").contains(extension.toLowerCase())) {
throw new IllegalArgumentException("Invalid file type");
}
String newFilename = UUID.randomUUID().toString() + "." + extension;
Path path = Paths.get("/safe/uploads/" + newFilename);
Files.write(path, file.getBytes());
return "File uploaded successfully";
} Reason for Fix:
The fixed code validates file types, uses a random filename, and restricts the upload directory to prevent malicious file uploads and overwriting.
PHP Example
Vulnerable Code:
Copy phpCopy<?php
if (isset($_FILES['userfile'])) {
$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile);
echo "File is valid, and was successfully uploaded.\n";
}
?> Reason for Vulnerability:
This code allows uploading of any file type with any name, potentially leading to execution of malicious files.
Fixed Code:
Copy phpCopy<?php
if (isset($_FILES['userfile'])) {
$uploaddir = '/var/www/uploads/';
$extension = pathinfo($_FILES['userfile']['name'], PATHINFO_EXTENSION);
$allowed_extensions = array('jpg', 'jpeg', 'png', 'gif');
if (!in_array(strtolower($extension), $allowed_extensions)) {
die("Invalid file type");
}
$filename = bin2hex(random_bytes(16)) . '.' . $extension;
$uploadfile = $uploaddir . $filename;
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "Upload failed.\n";
}
}
?> Reason for Fix:
The fixed code validates file types, uses a random filename, and restricts the upload directory to prevent malicious file uploads.
Python Example
Vulnerable Code:
Copy pythonCopyfrom flask import Flask, request
import os
app = Flask(__name__)
@app.route('/upload', methods=['POST'])
def upload_file():
if 'file' not in request.files:
return 'No file part'
file = request.files['file']
if file.filename == '':
return 'No selected file'
if file:
file.save(os.path.join('/uploads', file.filename))
return 'File uploaded successfully' Reason for Vulnerability:
This code allows uploading of any file type with any name to a specified directory, potentially leading to security issues.
Fixed Code:
Copy pythonCopyfrom flask import Flask, request
import os
from werkzeug.utils import secure_filename
app = Flask(__name__)
UPLOAD_FOLDER = '/safe/uploads'
ALLOWED_EXTENSIONS = {'txt', 'pdf', 'png', 'jpg', 'jpeg', 'gif'}
def allowed_file(filename):
return '.' in filename and \
filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS
@app.route('/upload', methods=['POST'])
def upload_file():
if 'file' not in request.files:
return 'No file part'
file = request.files['file']
if file.filename == '':
return 'No selected file'
if file and allowed_file(file.filename):
filename = secure_filename(file.filename)
file.save(os.path.join(UPLOAD_FOLDER, filename))
return 'File uploaded successfully'
return 'Invalid file type' Reason for Fix:
The fixed code validates file types, uses secure_filename to sanitize filenames, and restricts the upload directory to prevent security issues.
Last updated 10 months ago