CME-1310
File Upload Validation (Content Inspection and Extension Allowlist)
Description
Server-side validation of uploaded files using content inspection (magic byte verification), extension allowlisting, and size limits before the file is written to storage or processed. Rejects uploads whose actual content type does not match the declared MIME type, whose extension is not on the allowlist, or whose size exceeds configured limits. Files are stored outside the web root with randomized names to prevent direct execution. This prevents attackers from uploading executable payloads (web shells, scripts, malicious binaries) disguised as benign file types.
CVSS Vector Impacts
| Metric | Transition | Rationale |
|---|---|---|
| Attack Complexity (AC) | L → H | Attacker must bypass content-type inspection, extension allowlist, and storage isolation to execute an uploaded payload; simple extension renaming or MIME spoofing is insufficient |
| Integrity (I) | H → L | Uploaded files are confined to a non-executable storage directory with randomized names; the attacker cannot overwrite existing application files or place executable content in the web root |
CWE Relationships
Verification
Verify that the application rejects uploads with disallowed extensions and mismatched content types, and that upload storage is outside the document root
$ curl -s -o /dev/null -w "%{http_code}" -F "file=@/tmp/test.php" https://app/upload
# Expected: 400 or 403 (rejected)
# Expected: 400 or 403 (rejected)
Platform: linux
$ ls -la /var/www/html/uploads/ 2>/dev/null || echo "no uploads in web root"
# Expected: directory should not exist inside web root
# Expected: directory should not exist inside web root
Platform: linux