== Why is this an issue?

include::../rationale.adoc[]

include::../impact.adoc[]

include::how-to-fix-it/formidable.adoc[]

include::how-to-fix-it/multer.adoc[]

== Resources

* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
* CWE - https://cwe.mitre.org/data/definitions/434[CWE-434 - Unrestricted Upload of File with Dangerous Type]
* CWE - https://cwe.mitre.org/data/definitions/400[CWE-400 - Uncontrolled Resource Consumption]
* https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload[OWASP Unrestricted File Upload] - Unrestricted File Upload


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Restrict [the extension|folder destination] of uploaded files.

'''
== Comments And Links
(visible only on this page)

=== on 21 Jan 2021, 15:37:26 Pierre-Loup Tristant wrote:
This rule is likely not implementable for C#.  ASP.NET Core is not providing
any high level interface to help developper manage uploaded files.

There is no temporary storage of uploaded file by default. The file stays in
memory and it's up to the developper to chose the end location.

Verifying file extention can be done in many different ways.


endif::env-github,rspecator-view[]