// Investigate file operation vulnerabilities including unrestricted file upload, path traversal in file operations, and insecure file handling. Use when threat model identifies CWE-434 (Unrestricted Upload), CWE-73 (External Control of File Path), CWE-427 (Uncontrolled Search Path), or file security concerns.
| name | sast-file-security-testing |
| description | Investigate file operation vulnerabilities including unrestricted file upload, path traversal in file operations, and insecure file handling. Use when threat model identifies CWE-434 (Unrestricted Upload), CWE-73 (External Control of File Path), CWE-427 (Uncontrolled Search Path), or file security concerns. |
| allowed-tools | Read, Grep, Glob |
Investigate file operation vulnerabilities by analyzing:
Uploading files without proper validation can lead to RCE.
Dangerous Patterns:
# No file type validation
@app.route('/upload', methods=['POST'])
def upload():
file = request.files['file']
file.save(os.path.join(UPLOAD_DIR, file.filename))
return 'Uploaded'
# Weak validation (extension only)
if file.filename.endswith('.jpg'):
file.save(path) # Bypass: shell.jpg.php, shell.php.jpg
# Content-Type from client (can be forged)
if file.content_type == 'image/jpeg':
file.save(path)
Safe Patterns:
from werkzeug.utils import secure_filename
import magic
ALLOWED_EXTENSIONS = {'png', 'jpg', 'jpeg', 'gif'}
MAX_FILE_SIZE = 5 * 1024 * 1024 # 5MB
def allowed_file(filename):
return '.' in filename and \
filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS
@app.route('/upload', methods=['POST'])
def upload():
file = request.files['file']
# Check extension
if not allowed_file(file.filename):
return 'Invalid file type', 400
# Check actual content (magic bytes)
mime = magic.from_buffer(file.read(1024), mime=True)
file.seek(0)
if mime not in ['image/png', 'image/jpeg', 'image/gif']:
return 'Invalid file content', 400
# Sanitize filename
filename = secure_filename(file.filename)
# Generate unique name
filename = f"{uuid.uuid4().hex}_{filename}"
file.save(os.path.join(UPLOAD_DIR, filename))
User input in file paths allows accessing arbitrary files.
Dangerous Patterns:
# Direct path concatenation
@app.route('/download/<filename>')
def download(filename):
return send_file(os.path.join(FILES_DIR, filename))
# Attack: /download/../../../etc/passwd
# User-controlled directory
directory = request.args.get('dir')
files = os.listdir(os.path.join(BASE, directory))
# Template/config loading
template = request.args.get('template')
content = open(f"templates/{template}").read()
Safe Patterns:
import os
@app.route('/download/<filename>')
def download(filename):
# Sanitize filename
filename = secure_filename(filename)
# Resolve and validate path
safe_path = os.path.realpath(os.path.join(FILES_DIR, filename))
# Ensure path is within allowed directory
if not safe_path.startswith(os.path.realpath(FILES_DIR)):
return 'Access denied', 403
if not os.path.exists(safe_path):
return 'Not found', 404
return send_file(safe_path)
Loading executables or libraries from user-controlled paths.
Dangerous Patterns:
# Dynamic import from user input
module_name = request.args.get('module')
module = __import__(module_name)
# Subprocess with user-controlled command
cmd = request.args.get('tool')
subprocess.run([cmd, '-v'])
# Loading plugins from user path
plugin_path = user_config['plugin_dir']
exec(open(os.path.join(plugin_path, 'plugin.py')).read())
Safe Patterns:
# Allowlist for dynamic imports
ALLOWED_MODULES = {'math', 'json', 'datetime'}
module_name = request.args.get('module')
if module_name not in ALLOWED_MODULES:
raise ValueError("Module not allowed")
# Absolute paths for executables
TOOL_PATH = '/usr/local/bin/approved-tool'
subprocess.run([TOOL_PATH, '-v'])
Predictable or insecure temporary file creation.
Dangerous Patterns:
# Predictable temp file name
temp_file = f"/tmp/app_{user_id}.txt"
with open(temp_file, 'w') as f:
f.write(data)
# Race condition in temp file
if not os.path.exists(temp_path):
with open(temp_path, 'w') as f:
f.write(data)
Safe Patterns:
import tempfile
# Secure temp file
with tempfile.NamedTemporaryFile(delete=False) as f:
f.write(data)
temp_path = f.name
# Or with context manager
with tempfile.TemporaryDirectory() as tmpdir:
# Files auto-deleted when context exits
Downloading and executing code without verification.
Dangerous Patterns:
# Download and execute
url = config['update_url']
script = requests.get(url).text
exec(script)
# Install package from URL
os.system(f"pip install {url}")
Safe Patterns:
import hashlib
# Verify checksum
expected_hash = "sha256:abc123..."
content = requests.get(url).content
actual_hash = hashlib.sha256(content).hexdigest()
if f"sha256:{actual_hash}" != expected_hash:
raise ValueError("Integrity check failed")
Search for: request.files, multipart, upload
save(, write(, wb, file.save
multer, formidable, busboy
For each upload handler:
Search for: open(, os.path.join, send_file
read_file, write_file, shutil
Path(, pathlib
For each file operation:
Search for: exec(, eval(, __import__
subprocess, os.system, popen
require(, import(, load(
TRUE_POSITIVE:
FALSE_POSITIVE:
UNVALIDATED:
### Verdict
- **verdict**: TRUE_POSITIVE or FALSE_POSITIVE
- **confidence_score**: 1-10
- **risk_level**: LOW, MEDIUM, HIGH, or CRITICAL
### Vulnerability Type
- **Category**: Upload / Path Traversal / Execution
- **CWE**: CWE-XXX
### Evidence
- **Location**: file:line
- **Vulnerable Code**: [Code snippet]
- **User Input Source**: [How attacker provides input]
### Attack Scenario
1. [How attacker exploits this]
2. [What they can achieve: RCE, data theft, etc.]
### Recommendations
- [Specific fix with code example]
File security investigations may need:
request.files['file']
send_file(), send_from_directory()
secure_filename()
request.FILES['file']
FileField, ImageField
MEDIA_ROOT, MEDIA_URL
multer({ dest: 'uploads/' })
req.file, req.files
fs.readFile(path)
path.join(base, userInput)
@RequestParam("file") MultipartFile
Files.copy(file.getInputStream(), path)
new File(userPath)
Investigate authentication vulnerabilities in source code including missing authentication, weak authentication, and session management issues. Use when threat model identifies CWE-287 (Improper Authentication), CWE-384 (Session Fixation), CWE-306 (Missing Authentication), or authentication concerns.
Investigate authorization vulnerabilities in source code including IDOR, privilege escalation, and missing access controls. Use when threat model identifies CWE-639 (IDOR), CWE-862 (Missing Authorization), CWE-863 (Incorrect Authorization), CWE-269 (Privilege Escalation), or access control concerns.
Investigate browser security vulnerabilities including CORS misconfiguration, CSRF, clickjacking, and cookie security. Use when threat model identifies CWE-346 (Origin Validation), CWE-942 (Permissive CORS), CWE-352 (CSRF), CWE-1021 (Clickjacking), or browser security concerns.
Investigate cryptographic vulnerabilities in source code including weak algorithms, hardcoded secrets, and improper key management. Use when threat model identifies CWE-327 (Use of Broken Crypto), CWE-798 (Hardcoded Credentials), CWE-326 (Inadequate Encryption), or cryptography concerns.
Investigate data exposure vulnerabilities in source code including PII leakage, sensitive data logging, and information disclosure. Use when threat model identifies CWE-200 (Information Exposure), CWE-532 (Sensitive Data in Logs), CWE-359 (Privacy Violation), or data exposure concerns.
Investigate insecure deserialization vulnerabilities that can lead to RCE or data manipulation. Use when threat model identifies CWE-502 (Deserialization of Untrusted Data), CWE-915 (Mass Assignment), or object deserialization concerns.