Restrict certain filetypes(exe, com, bat, cmd ) from uploading to the application
Business Requirement: Restrict certain filetypes from uploading to the application. Few file types - exe, com, bat, cmd etc.
Solution tried:
Changes made:
-
- When any file is uploaded in the application then “AttachFile” activity which is a final rule is executed.
- In “AttachFile” activity there is an extension point activity “CallVirusCheck”.
- In “CallVirusCheck” we have check if the “pyFileType” property has any extension types which need to be restricted. In our case we have restricted “exe, com, bat and cmd” files to be uploaded.
- In future if business wants to add or remove any file extension then that can be done using “Restricted File Type” data type which is exposed to Prod Ops team.
Observed defect:
-
- During testing phase, Security team identifies that if the files with “exe, bat, cmd” extension were converted to a file with an acceptable file type like txt (For example, if we change TestFile.exe to TestFile.txt) and then the upload was a success.
- Security team agreed that the client side is remediated but the danger resides on the server side.
Enhancement request: Would like to request Pega product team if this can be added as an enhancement in the upcoming releases. We would like to avoid any custom solution to accommodate this requirement.
***Edited by Moderator Marije to add Enh.Req. FDBK-94399 tags***
To see attachments, please log in.