Sanitize Flask upload filenames before saving | Critiq Docs

#Metadata

Rule ID: py.security.flask-unsafe-upload-filename
Severity: high
Confidence: 0.9
Languages: python
Presets: security, strict
Stability: stable
Applies to: block
Tags: filesystem, flask, python, rules-catalog, security, upload

#Why it matters

Attacker-controlled filenames enable traversal sequences, extension spoofing, and collisions when saved verbatim.

#Remediation

Generate trusted server-side names or wrap uploads with `werkzeug.utils.secure_filename` before calling `save`.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/python/py.security.flask-unsafe-upload-filename.rule.yaml.

Back to directory Open rule in repository