After performing a source code vulnerability scan on the website, the report indicated the issue "Often Misused: File Upload (11503)." To fix this vulnerability, the frontend must validate the file extension.
<input name="file" type="file" accept=".jpg" />
Additionally, the backend must also validate the file extension. The report pointed out that the scanning tool bypassed the frontend checks and directly uploaded a .exe file to the server.
This issue is not a big deal and is easy to fix by checking the file extension on the backend, and rejecting any non-compliant files.
string extension = Path.GetExtension(file.FileName);
if (!(extension == ".jpg"))
{
throw new Exception("Uploading a file with a disallowed extension.");
}
With that, the vulnerability is considered fixed. Job done☑️
Thanks for reading!
If you like this article, please don't hesitate to click the heart button ❤️
or follow my GitHub I'd appreciate it.
Top comments (0)