How can you restrict file attachments by extension type for an entire application? (such as .exe)
To meet a security requirement, we are trying to restrict file attachments uploaded in our application to not allow files of certain extension types. I have found several places in PRPC's base application that could be changed to enforce this, but they are all rules with the pz- prefix, and therefore can't be saved into our application. Examples are pzFileUploadGadget and pzDragDopMultiFileUpload.
Is there a better way to handle this security requirement?
Pegasystems Inc.
US
Ujjwala is the right person to answer. Can you please comment?
Pegasystems Inc.
IN
Hi Justin
The activity your specified "pzFileUploadGadget"has a call to CallVirusCheck which is a dummy activitiy and available .
You can twig this activity to check the extension of the file and set message accordingly. Hope this helps.
Pegasystems Inc.
IN
Agree with Santanu I guess that is one option to override and add some validation. But the intention of this CallVirusCheck is to do custom implementation for virus check.
But as of the existing implementation this is the only extension available.
Rabobank
NL
I have implemented this requirement by adding an access-when rule which calls a decision table to verify allowed file types.
I used a function like: @String.whatComesAfterLast(.pxAttachName,'.')
Then refer this access-when rule on the access role to object of the Data-WorkAttach-File class, in the Write Instances field.
As soon as the system tries to save the attachment, it wil check the access-when rule and decision table, and will stop the object from saving and returns an error message.
I have implemented this requirement by adding an access-when rule which calls a decision table to verify allowed file types.
I used a function like: @String.whatComesAfterLast(.pxAttachName,'.')
Then refer this access-when rule on the access role to object of the Data-WorkAttach-File class, in the Write Instances field.
As soon as the system tries to save the attachment, it wil check the access-when rule and decision table, and will stop the object from saving and returns an error message.
This save happens very soon after the CallVirusCheck extension point, so it seems similarly safe.
Bank Of America
IN
I have followed the same approach but it's not working .
I have attached the screenshots , please help if i am configuring something wrong.
Pegasystems Inc.
IN
Hi Mayank,
Thank you for posting your query in the PSC. This looks like an inactive post and hence, we suggest you create a new post for your query. Click on the Write a Post button that’s available on the top right pane of this page. Once created, please reply back here with the URL of the new post.
You may also refer this discussion link as a reference in the new thread
We have also sent you a private message opening up a communication channel in case you have any further questions.
Express Scripts
US
I have the same requirement, was this solved?
Thanks!