Q
Detector Library
C detectors (34/34)
Logging of sensitive informationInsecure Use Of ChrootDeadlock And Lock InconsistencyUnsafe File ExtensionOS command injectionIncorrect Use Of FreeUse Of Uninitialized VariableInsecure Use strcat fnSQL injectionBitwise Operator On Signed OperandInsecure use gets fnRandom fd exhaustionRedundant Free UsageInsecure Use MemsetDivide By Zero.Return Stack AddressUnchecked Return ValueIncorrect Format SpecifierUnhandled Expression ResultPath traversalImproper Input ValidationOut Of Bounds ReadInteger OverflowInsecure use strtok functionImproper size of a memory bufferincomplete-cleanupNull pointer dereferenceInsecure Temporary File Or DirectoryInsecure Buffer AccessIncorrect Use Ato FnLoose File PermissionsExposure of Sensitive InformationOut-of-bounds WriteString Equality
Unsafe File Extension Critical
Insufficiently restricted file uploads can allow a file to be uploaded that runs malicious code. For example, a website that doesn't check the file extension of an image can be exploited by uploading a script with an extension, such as .php or .asp, that can be run on the server.
Detector ID
c/unsafe-file-extension@v1.0
Category
Common Weakness Enumeration (CWE) 
Tags
Compliant example
1#include <stdio.h>
2
3void unsafeFileExtensionCompliant() {
4 // Compliant: Safe extension used with fopen example
5 FILE* fileFopen = fopen("example.txt", "r");
6 if (fileFopen != NULL) {
7 printf("File opened successfully using fopen.\n");
8 fclose(fileFopen);
9 } else {
10 printf("Error: Failed to open the file using fopen.\n");
11 }
12}
Noncompliant example
1#include <stdio.h>
2
3void unsafeFileExtensionNonCompliant() {
4 // Noncompliant: Unsafe file extension used with fopen
5 FILE* fileFopen = fopen("example.bat", "rb");
6 if (fileFopen != NULL) {
7 printf("File opened successfully using fopen.\n");
8 fclose(fileFopen);
9 } else {
10 printf("Error: Failed to open the file using fopen.\n");
11 }
12}