Insecure File Uploads

Vulnerable Code:

javaCopy codePart filePart = request.getPart("file");
filePart.write("/uploads/" + filePart.getSubmittedFileName());

Reason for vulnerability: No validation or sanitization of the uploaded file.

Fixed Code:

javaCopy codePart filePart = request.getPart("file");
String fileName = Paths.get(filePart.getSubmittedFileName()).getFileName().toString();
if (!isValidFile(fileName)) {
    throw new IllegalArgumentException("Invalid file");
}
filePart.write("/uploads/" + fileName);

Reason for fix: Validate and sanitize the uploaded file name.

Vulnerable Code:

pythonCopy code@app.route('/upload', methods=['POST'])
def upload():
    file = request.files['file']
    file.save(os.path.join('/uploads', file.filename))

Reason for vulnerability: No validation or sanitization of the uploaded file.

Fixed Code:

pythonCopy code@app.route('/upload', methods=['POST'])
def upload():
    file = request.files['file']
    filename = secure_filename(file.filename)
    if not is_valid_file(filename):
        abort(400)
    file.save(os.path.join('/uploads', filename))

Reason for fix: Use secure_filename and validate the uploaded file name.

Vulnerable Code:

<?php
if (isset($_FILES["image"])) {
  $target_dir = "uploads/";
  $target_file = $target_dir . basename($_FILES["image"]["name"]);
  move_uploaded_file($_FILES["image"]["tmp_name"], $target_file);   
  echo "Image uploaded successfully!";
}
?>

<form action="" method="post" enctype="multipart/form-data">
  <input type="file" name="image" id="image">
  <input type="submit" value="Upload Image">   
</form>

Reason for vulnerability: The code doesn't validate the uploaded file type. An attacker could upload executable files that could be executed on the server.

Fixed Code:

<?php
if (isset($_FILES["image"])) {
  $target_dir = "uploads/";
  $imageFileType = strtolower(pathinfo($_FILES["image"]["name"],PATHINFO_EXTENSION));

  // Allow certain file formats
  $allowedExtensions = ["jpg", "jpeg", "png", "gif"];
  if (in_array($imageFileType, $allowedExtensions)) {
    $target_file =

Java Example

Vulnerable Code:

javaCopy@PostMapping("/upload")
public String handleFileUpload(@RequestParam("file") MultipartFile file) {
    String filename = file.getOriginalFilename();
    Path path = Paths.get("/uploads/" + filename);
    Files.write(path, file.getBytes());
    return "File uploaded successfully";
}

Reason for Vulnerability:

This code allows uploading of any file type to any location, potentially leading to execution of malicious files.

Fixed Code:

javaCopy@PostMapping("/upload")
public String handleFileUpload(@RequestParam("file") MultipartFile file) throws IOException {
    String filename = file.getOriginalFilename();
    String extension = FilenameUtils.getExtension(filename);
    
    if (!Arrays.asList("jpg", "png", "pdf").contains(extension.toLowerCase())) {
        throw new IllegalArgumentException("Invalid file type");
    }
    
    String newFilename = UUID.randomUUID().toString() + "." + extension;
    Path path = Paths.get("/safe/uploads/" + newFilename);
    
    Files.write(path, file.getBytes());
    return "File uploaded successfully";
}

Reason for Fix:

The fixed code validates file types, uses a random filename, and restricts the upload directory to prevent malicious file uploads and overwriting.

PHP Example

Vulnerable Code:

phpCopy<?php
if (isset($_FILES['userfile'])) {
    $uploaddir = '/var/www/uploads/';
    $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
    move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile);
    echo "File is valid, and was successfully uploaded.\n";
}
?>

Reason for Vulnerability:

This code allows uploading of any file type with any name, potentially leading to execution of malicious files.

Fixed Code:

phpCopy<?php
if (isset($_FILES['userfile'])) {
    $uploaddir = '/var/www/uploads/';
    $extension = pathinfo($_FILES['userfile']['name'], PATHINFO_EXTENSION);
    $allowed_extensions = array('jpg', 'jpeg', 'png', 'gif');
    
    if (!in_array(strtolower($extension), $allowed_extensions)) {
        die("Invalid file type");
    }
    
    $filename = bin2hex(random_bytes(16)) . '.' . $extension;
    $uploadfile = $uploaddir . $filename;
    
    if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
        echo "File is valid, and was successfully uploaded.\n";
    } else {
        echo "Upload failed.\n";
    }
}
?>

Reason for Fix:

The fixed code validates file types, uses a random filename, and restricts the upload directory to prevent malicious file uploads.

Python Example

Vulnerable Code:

pythonCopyfrom flask import Flask, request
import os

app = Flask(__name__)

@app.route('/upload', methods=['POST'])
def upload_file():
    if 'file' not in request.files:
        return 'No file part'
    file = request.files['file']
    if file.filename == '':
        return 'No selected file'
    if file:
        file.save(os.path.join('/uploads', file.filename))
        return 'File uploaded successfully'

Reason for Vulnerability:

This code allows uploading of any file type with any name to a specified directory, potentially leading to security issues.

Fixed Code:

pythonCopyfrom flask import Flask, request
import os
from werkzeug.utils import secure_filename

app = Flask(__name__)

UPLOAD_FOLDER = '/safe/uploads'
ALLOWED_EXTENSIONS = {'txt', 'pdf', 'png', 'jpg', 'jpeg', 'gif'}

def allowed_file(filename):
    return '.' in filename and \
           filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS

@app.route('/upload', methods=['POST'])
def upload_file():
    if 'file' not in request.files:
        return 'No file part'
    file = request.files['file']
    if file.filename == '':
        return 'No selected file'
    if file and allowed_file(file.filename):
        filename = secure_filename(file.filename)
        file.save(os.path.join(UPLOAD_FOLDER, filename))
        return 'File uploaded successfully'
    return 'Invalid file type'

Reason for Fix:

The fixed code validates file types, uses secure_filename to sanitize filenames, and restricts the upload directory to prevent security issues.

PreviousLDAP InjectionNextPath Traversal

Last updated