cwe-434-unrestricted-file-upload - SKILL.md Agent Skill

name: cwe-434-unrestricted-file-upload description: Use this skill when you need to remediate CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing unrestricted upload of file with dangerous type issues. version: 1.0.0 license: MIT tags:

security
java
cwe-434
remediation
sast
file-upload
input-validation

CWE-434 Unrestricted Upload of File with Dangerous Type

Description

Unrestricted Upload of File with Dangerous Type

Reference: https://cwe.mitre.org/data/definitions/434.html

OWASP Category: A04:2021 – Insecure Design

Vulnerable Pattern

❌ Example 1

    private static final Random RANDOM = new Random(new Date().getTime());
    private static final Pattern ENDS_WITH_HTML_PATTERN = Pattern.compile("^.+\\.html$");
    private static final Pattern ENDS_WITH_HTML_OR_HTM_PATTERN =
            Pattern.compile("^.+\\.(html|htm)$");

    private static final String CONTAINS_PNG_JPEG_REGEX = "^.+\\.(png|jpeg)";
    private static final Pattern CONTAINS_PNG_OR_JPEG_PATTERN =
            Pattern.compile(CONTAINS_PNG_JPEG_REGEX);
    private static final Pattern ENDS_WITH_PNG_OR_JPEG_PATTERN =
            Pattern.compile(CONTAINS_PNG_JPEG_REGEX + "$");
    private static final transient Logger LOGGER =
            LogManager.getLogger(UnrestrictedFileUpload.class);

    public UnrestrictedFileUpload() throws IOException, URISyntaxException {
        URI uploadDirectoryURI;
        try {
            uploadDirectoryURI =
                    new URI(
                            Thread.currentThread()
                                            .getContextClassLoader()
                                            .getResource(BASE_PATH)
                                            .toURI()
                                    + FrameworkConstants.SLASH
                                    + STATIC_FILE_LOCATION);
            root = Paths.get(uploadDirectoryURI);
        // ... (truncated for brevity)

Deterministic Fix

✅ Secure Implementation

    public ResponseEntity<GenericVulnerabilityResponseBean<String>> getVulnerablePayloadLevel9(
            @RequestParam(REQUEST_PARAMETER) MultipartFile file) throws IOException {
        return genericFileUploadUtility(
                root,
                RANDOM.nextInt() + "_" + file.getOriginalFilename(),
                () -> true,
                file,
                true,
                false);
    }

Detection Pattern

Look for these patterns in your codebase:

# Find file upload handlers
grep -rn "MultipartFile\|@RequestPart" --include="*.java"

# Find file write operations
grep -rn "transferTo\|Files.copy\|FileOutputStream" --include="*.java"

Remediation Steps

Validate file extension against allowlist
Verify file content matches expected type (magic bytes)
Generate random filenames for stored files
Store uploads outside web root
Implement file size limits
Scan uploaded files for malware

Key Imports


import org.springframework.web.multipart.MultipartFile;

import java.nio.file.Files;

import org.apache.tika.Tika;

Verification

After remediation:

Re-run SAST scan - CWE-434 should be resolved
Test uploading files with double extensions: file.php.jpg
Verify dangerous file types are rejected

Trigger Examples

Fix CWE-434 vulnerability
Resolve Unrestricted Upload of File with Dangerous Type issue
Secure this Java code against unrestricted upload of file with dangerous type
SAST reports CWE-434

Common Vulnerable Locations

Layer	Files	Patterns

| Controller | *Controller.java | Upload endpoints |

| Service | *Service.java | File processing |

References

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07