ASVS Requirement 5.2.2

• Level: 1
• Chapter: V5 File Handling
• Section: V5.2 File Upload and Content
• Source: 0x14-V5-File-Handling.md

Description

Verify that when the application accepts a file, either on its own or within an archive such as a zip file, it checks if the file extension matches an expected file extension and validates that the contents correspond to the type represented by the extension. This includes, but is not limited to, checking the initial 'magic bytes', performing image re-writing, and using specialized libraries for file content validation. For L1, this can focus just on files which are used to make specific business or security decisions. For L2 and up, this must apply to all files being accepted.