CWE-646 Reliance on File Name or Extension
What this means
SiteShadow flagged a security decision based on a filename or extension (e.g., ".png means image", ".pdf means safe"), which attackers can easily spoof.
Why it matters
File names and extensions can be spoofed to bypass controls.
- Upload bypass:
malware.exerenamed toimage.png. - Content-type confusion: serving attacker-controlled content back to users (XSS, malware).
- Execution risk if the server treats certain extensions as executable.
Safer examples
1) Validate file content, not just extension
Check MIME type and (where possible) file signatures/magic bytes (see CWE-434).
2) Store uploads outside web root and serve safely
Serve with safe Content-Type and Content-Disposition: attachment when appropriate.
3) Use allowlists and safe processing pipelines
Only accept explicitly allowed types and process them with hardened libraries.
How SiteShadow detects it (high level)
- Detects upload/serve logic that gates behavior on filename/extension alone.
- Flags missing MIME/signature checks in upload and file handling flows.
References
- CWE-646: https://cwe.mitre.org/data/definitions/646.html
---