Vulnerable Code:
Copy javaCopy codePart filePart = request . getPart ( "file" );
filePart . write ( "/uploads/" + filePart . getSubmittedFileName ()); Reason for vulnerability: No validation or sanitization of the uploaded file.
Fixed Code:
Copy javaCopy codePart filePart = request . getPart ( "file" );
String fileName = Paths . get ( filePart . getSubmittedFileName ()) . getFileName () . toString ();
if ( ! isValidFile(fileName) ) {
throw new IllegalArgumentException( "Invalid file" ) ;
}
filePart . write ( "/uploads/" + fileName); Reason for fix: Validate and sanitize the uploaded file name.
Vulnerable Code:
Copy pythonCopy code @ app . route ( '/upload' , methods = [ 'POST' ])
def upload ():
file = request . files [ 'file' ]
file . save (os.path. join ( '/uploads' , file.filename)) Reason for vulnerability: No validation or sanitization of the uploaded file.
Fixed Code:
Copy pythonCopy code @ app . route ( '/upload' , methods = [ 'POST' ])
def upload ():
file = request . files [ 'file' ]
filename = secure_filename (file.filename)
if not is_valid_file (filename):
abort ( 400 )
file . save (os.path. join ( '/uploads' , filename)) Reason for fix: Use secure_filename and validate the uploaded file name.
Vulnerable Code:
Copy <? php
if ( isset ( $_FILES[ "image" ] ) ) {
$target_dir = "uploads/" ;
$target_file = $target_dir . basename ( $_FILES[ "image" ][ "name" ] ) ;
move_uploaded_file ( $_FILES[ "image" ][ "tmp_name" ] , $target_file ) ;
echo "Image uploaded successfully!" ;
}
?>
< form action = "" method = "post" enctype = "multipart/form-data" >
< input type = "file" name = "image" id = "image" >
< input type = "submit" value = "Upload Image" >
</ form > Reason for vulnerability: The code doesn't validate the uploaded file type. An attacker could upload executable files that could be executed on the server.
Fixed Code:
Copy <? php
if ( isset ( $_FILES[ "image" ] ) ) {
$target_dir = "uploads/" ;
$imageFileType = strtolower ( pathinfo ( $_FILES[ "image" ][ "name" ] , PATHINFO_EXTENSION )) ;
// Allow certain file formats
$allowedExtensions = [ "jpg" , "jpeg" , "png" , "gif" ];
if ( in_array ( $imageFileType , $allowedExtensions ) ) {
$target_file = Java Example
Vulnerable Code:
Copy javaCopy@ PostMapping ( "/upload" )
public String handleFileUpload(@ RequestParam ( "file" ) MultipartFile file) {
String filename = file . getOriginalFilename ();
Path path = Paths . get ( "/uploads/" + filename);
Files . write (path , file . getBytes ());
return "File uploaded successfully" ;
} Reason for Vulnerability:
This code allows uploading of any file type to any location, potentially leading to execution of malicious files.
Fixed Code:
Copy javaCopy@ PostMapping ( "/upload" )
public String handleFileUpload(@ RequestParam ( "file" ) MultipartFile file) throws IOException {
String filename = file . getOriginalFilename ();
String extension = FilenameUtils . getExtension (filename);
if ( ! Arrays . asList ( "jpg" , "png" , "pdf" ) . contains ( extension . toLowerCase ())) {
throw new IllegalArgumentException( "Invalid file type" ) ;
}
String newFilename = UUID . randomUUID () . toString () + "." + extension;
Path path = Paths . get ( "/safe/uploads/" + newFilename);
Files . write (path , file . getBytes ());
return "File uploaded successfully" ;
} Reason for Fix:
The fixed code validates file types, uses a random filename, and restricts the upload directory to prevent malicious file uploads and overwriting.
PHP Example
Vulnerable Code:
Copy phpCopy <? php
if ( isset ( $_FILES[ 'userfile' ] ) ) {
$uploaddir = '/var/www/uploads/' ;
$uploadfile = $uploaddir . basename ( $_FILES[ 'userfile' ][ 'name' ] ) ;
move_uploaded_file ( $_FILES[ 'userfile' ][ 'tmp_name' ] , $uploadfile ) ;
echo "File is valid, and was successfully uploaded.\n" ;
}
?> Reason for Vulnerability:
This code allows uploading of any file type with any name, potentially leading to execution of malicious files.
Fixed Code:
Copy phpCopy <? php
if ( isset ( $_FILES[ 'userfile' ] ) ) {
$uploaddir = '/var/www/uploads/' ;
$extension = pathinfo ( $_FILES[ 'userfile' ][ 'name' ] , PATHINFO_EXTENSION ) ;
$allowed_extensions = array ( 'jpg' , 'jpeg' , 'png' , 'gif' );
if ( ! in_array ( strtolower ( $extension ), $allowed_extensions ) ) {
die ( "Invalid file type" );
}
$filename = bin2hex ( random_bytes ( 16 )) . '.' . $extension;
$uploadfile = $uploaddir . $filename;
if ( move_uploaded_file ( $_FILES[ 'userfile' ][ 'tmp_name' ] , $uploadfile ) ) {
echo "File is valid, and was successfully uploaded.\n" ;
} else {
echo "Upload failed.\n" ;
}
}
?> Reason for Fix:
The fixed code validates file types, uses a random filename, and restricts the upload directory to prevent malicious file uploads.
Python Example
Vulnerable Code:
Copy pythonCopyfrom flask import Flask , request
import os
app = Flask ( __name__ )
@app . route ( '/upload' , methods = [ 'POST' ])
def upload_file ():
if 'file' not in request . files :
return 'No file part'
file = request . files [ 'file' ]
if file . filename == '' :
return 'No selected file'
if file :
file . save (os.path. join ( '/uploads' , file.filename))
return 'File uploaded successfully' Reason for Vulnerability:
This code allows uploading of any file type with any name to a specified directory, potentially leading to security issues.
Fixed Code:
Copy pythonCopyfrom flask import Flask , request
import os
from werkzeug . utils import secure_filename
app = Flask ( __name__ )
UPLOAD_FOLDER = '/safe/uploads'
ALLOWED_EXTENSIONS = { 'txt' , 'pdf' , 'png' , 'jpg' , 'jpeg' , 'gif' }
def allowed_file ( filename ):
return '.' in filename and \
filename . rsplit ( '.' , 1 ) [ 1 ] . lower () in ALLOWED_EXTENSIONS
@app . route ( '/upload' , methods = [ 'POST' ])
def upload_file ():
if 'file' not in request . files :
return 'No file part'
file = request . files [ 'file' ]
if file . filename == '' :
return 'No selected file'
if file and allowed_file (file.filename):
filename = secure_filename (file.filename)
file . save (os.path. join (UPLOAD_FOLDER, filename))
return 'File uploaded successfully'
return 'Invalid file type' Reason for Fix:
The fixed code validates file types, uses secure_filename to sanitize filenames, and restricts the upload directory to prevent security issues.