CWE-646: Reliance on File Name or Extension of Externally-Supplied File

What is Reliance on File Name or Extension of Externally-Supplied File?

• Overview: Reliance on File Name or Extension of Externally-Supplied File (CWE-646) occurs when an application uses the file name or extension to determine how to handle a file, potentially leading to dangerous misclassification and processing of the file.

• Exploitation Methods:

• Attackers can exploit this vulnerability by manipulating file extensions, such as appending multiple extensions like ".php.gif" to mislead the application into processing the file incorrectly.
• Common attack patterns include uploading files with deceptive extensions to execute server-side scripts or bypass security filters.

• Security Impact:

• Direct consequences include arbitrary code execution, unauthorized file execution, and file inclusion.
• Potential cascading effects like resource exhaustion, denial of service, or exposure of sensitive system data.
• Business impact can involve data breaches, service downtime, and damage to reputation.

• Prevention Guidelines:

• Specific code-level fixes include verifying file content types through magic numbers or MIME types instead of relying on file extensions.
• Security best practices involve implementing strict file upload validations and enforcing appropriate permissions and access controls.
• Recommended tools and frameworks include using libraries or services that offer robust file type verification and secure file handling.

Corgea can automatically detect and fix Reliance on File Name or Extension of Externally-Supplied File in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: High

Affected Languages: Not Language-Specific

Affected Technologies: Web Server

Vulnerable Code Example

import os

def process_file_upload(file):
    # Vulnerable: Relying solely on file extension to determine file type
    if file.filename.endswith('.txt'):
        # Assume it's a text file and process it as such
        with open(os.path.join('/uploads', file.filename), 'r') as f:
            content = f.read()
        return content
    else:
        raise ValueError("Unsupported file type")

Explanation of Vulnerability:

• Reliance on File Extension: The code assumes that if a file ends in .txt, it is a safe text file. Attackers could upload a file with a .txt extension that contains malicious content, leading to potential security risks. This reliance on the file extension is insufficient for security as it can be easily spoofed.

How to fix Reliance on File Name or Extension of Externally-Supplied File?

To address this vulnerability, it is crucial to verify the file's content rather than relying on its extension. Here are some strategies:

1. Content Inspection: Examine the file's content to ensure it matches the expected format.
2. MIME Type Validation: Use libraries capable of determining the file's MIME type based on its content.
3. Whitelist Approved File Types: Maintain a list of acceptable file types and utilize secure libraries to verify the integrity and type of uploaded files.

Fixed Code Example

import os
import magic  # Python package to detect file type

def process_file_upload(file):
    # Fixed: Use 'magic' to detect MIME type based on file content
    mime = magic.Magic(mime=True)
    file_type = mime.from_buffer(file.read(1024))  # Read a portion of the file to determine type
    file.seek(0)  # Reset file pointer after reading

    # Allow only plain text files
    if file_type == 'text/plain':
        # Process the file securely
        with open(os.path.join('/uploads', file.filename), 'r') as f:
            content = f.read()
        return content
    else:
        raise ValueError("Unsupported file type")

Explanation of Fix:

• MIME Type Detection: The magic library is utilized to ascertain the file's MIME type based on its actual content, not the extension. This ensures the file is indeed a plain text file before processing it.
• File Pointer Reset: After inspecting the MIME type, the file's pointer is reset to allow subsequent operations to read the file from the beginning.
• Robust Type Checking: By verifying the MIME type as text/plain, we ensure only legitimate text files are processed, mitigating the risk of processing malicious files disguised with a .txt extension. This approach enhances security by focusing on the file's actual content rather than its name or extension.