CWE-646 Reliance on File Name or Extension
Coverage: 4 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 4 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged a security decision based on a filename or extension (e.g., ".png means image", ".pdf means safe"), which attackers can easily spoof.
Why it matters
File names and extensions can be spoofed to bypass controls.
- Upload bypass:
malware.exerenamed toimage.png. - Content-type confusion: serving attacker-controlled content back to users (XSS, malware).
- Execution risk if the server treats certain extensions as executable.
Safer examples
1) Validate file content, not just extension
Check MIME type and (where possible) file signatures/magic bytes (see CWE-434).
2) Store uploads outside web root and serve safely
Serve with safe Content-Type and Content-Disposition: attachment when appropriate.
3) Use allowlists and safe processing pipelines
Only accept explicitly allowed types and process them with hardened libraries.
How SiteShadow detects it (high level)
- Detects upload/serve logic that gates behavior on filename/extension alone.
- Flags missing MIME/signature checks in upload and file handling flows.
References
- CWE-646: https://cwe.mitre.org/data/definitions/646.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.