V5.2.1: Verify that the application will only accept files of a size which it can process without causing a loss of performance or a denial of service attack.
ASVS Maturity
V5.2.2
V5.2.2: Verify that when the application accepts a file, either on its own or within an archive such as a zip file, it checks if the file extension matches an expected file extension and validates that the contents correspond to the type represented by the extension. This includes, but is not limited to, checking the initial 'magic bytes', performing image re-writing, and using specialized libraries for file content validation. For L1, this can focus just on files which are used to make specific business or security decisions. For L2 and up, this must apply to all files being accepted.
ASVS Maturity
V5.2.3
V5.2.3: Verify that the application checks compressed files (e.g., zip, gz, docx, odt) against maximum allowed uncompressed size and against maximum number of files before uncompressing the file.
ASVS Maturity
V5.2.4
V5.2.4: Verify that a file size quota and maximum number of files per user are enforced to ensure that a single user cannot fill up the storage with too many files, or excessively large files.
ASVS Maturity
V5.2.5
V5.2.5: Verify that the application does not allow uploading compressed files containing symlinks unless this is specifically required (in which case it will be necessary to enforce an allowlist of the files that can be symlinked to).
ASVS Maturity
V5.2.6
V5.2.6: Verify that the application rejects uploaded images with a pixel size larger than the maximum allowed, to prevent pixel flood attacks.