Skill

file-upload

Audits file upload handlers for vulnerabilities like unrestricted uploads, path traversal, executable files, and size issues. Suggests fixes with extension allowlists, renaming, secure storage outside webroot, and MIME validation.

security

backend

npx claudepluginhub thejefflarson/soundcheck --plugin soundcheck

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Protects against unrestricted file upload attacks where an attacker uploads executable

SKILL.md

Similar Skills

file-uploads

36.4k

Handles secure file uploads to S3 and Cloudflare R2 using presigned URLs, multipart uploads, and image optimization. Addresses pitfalls like file type validation, size limits, and path traversal.

antigravity-awesome-skills

file-upload-handling

180

Implements secure file upload handling with validation, virus scanning, storage management, and serving across Flask, Express, FastAPI. Use for file upload features, document management, and media storage.

6 files

aj-geddes-useful-ai-prompts-4

minimal-api-file-upload

842

Implements file upload endpoints in ASP.NET Core Minimal APIs (.NET 8+): IFormFile binding, size limits, multipart handling, validation, and common pitfalls.

dotnet-aspnet

Stats

Stars13

Forks0

Last CommitApr 18, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

File Upload Security Check (A04:2025)

What this checks

Protects against unrestricted file upload attacks where an attacker uploads executable files (web shells, scripts, HTML with embedded JS) that the server later serves or executes. Exploitation leads to remote code execution, stored XSS, or full server compromise.

Vulnerable patterns

file.save(os.path.join('uploads/', file.filename)) — user-controlled filename stored directly, enabling path traversal and extension bypass
Path(uploadDir).resolve().toString() + originalFilename — original filename preserved, no extension allowlist
io.Copy(dst, file) with destination in webroot — uploaded content served directly by the web server
No Content-Length or stream-size check — attacker uploads multi-GB file to exhaust disk

Fix immediately

Flag the vulnerable code and explain the risk. Then suggest a fix that establishes these properties:

Extension is validated against an allowlist, never a denylist. Denylists miss novel extensions (.phtml, .phar, .svg) and case variations. An allowlist of expected types (.png, .jpg, .pdf) fails closed.
The user-supplied filename is never used as the storage path. Rename the file to a CSPRNG identifier, preserving only the validated extension. This defeats path traversal (../../etc/passwd), overwrites of existing files, and filename-based XSS on download.
Uploads are written outside the webroot. The server must not serve them directly — files are handed out through an application route that sets a safe Content-Type and Content-Disposition: attachment, never inferred from the filename.
Size is capped at the framework or proxy level, not just inside the handler. A handler-only check lets a multi-gigabyte upload exhaust memory before the check runs.
MIME type is validated against the file's magic bytes, not the Content-Type header the client sent — the header is attacker-controlled.

Anchor — shape, not implementation:

require(ext(upload.filename) in ALLOWED_EXT)
require(magic_bytes_match(upload.stream, ALLOWED_MIMES))
name = csprng_hex() + ext(upload.filename)
save(upload.stream, UPLOAD_DIR_OUTSIDE_WEBROOT / name)   # size cap set in framework

Verification

Confirm the following properties hold (language-agnostic):

Only explicitly-allowed file extensions are accepted — enforced via an allowlist, not a denylist
The user-supplied filename is never used as the storage path — files are renamed to a random or hashed identifier
Uploaded files are stored outside the web-accessible document root
A maximum upload size is enforced at the framework or reverse-proxy level
Files are served with Content-Disposition: attachment and a safe, explicit Content-Type — never inferred from the filename

References

CWE-434 (Unrestricted Upload of File with Dangerous Type)
CWE-22 (Path Traversal)
OWASP A04:2025 Insecure Design