OeditusCredo.Check.Security.UnrestrictedFileUpload (OeditusCredo v0.6.1)

View Source

Basics

This check is disabled by default.

Learn how to enable it via .credo.exs.

This check has a base priority of high and works with any version of Elixir.

Explanation

Detects potential unrestricted file upload (CWE-434).

Upload handlers that write files to disk without validating content_type, file extension, or file size can allow upload of dangerous files.

Bad:

def upload(conn, %{"file" => %Plug.Upload{} = upload}) do
  File.cp!(upload.path, "/uploads/#{upload.filename}")
end

Good:

@allowed_extensions ~w[.jpg .jpeg .png .gif]

def upload(conn, %{"file" => %Plug.Upload{} = upload}) do
  ext = Path.extname(upload.filename) |> String.downcase()
  if ext in @allowed_extensions, do: ...
end

Check-Specific Parameters

Use the following parameters to configure this check:

:exclude_test_files

Set to true to skip test files (default: false)

This parameter defaults to nil.

General Parameters

Like with all checks, general params can be applied.

Parameters can be configured via the .credo.exs config file.