Question
M2c Consulting & Procedures Sl.
ES
Last activity: 27 Feb 2025 8:33 EST
Insecure file upload
Pega platform, through the functionality of attaching documentation, allows uploading documents that may be malicious.
We know that an activity is available, CallVirusCheck, where we can customize the policies based on our customer's requirements, but... Does Pega not have any developments planned regarding this point? It could have a minimum control policy, although it can be customized later.
This lack of control is a critical security vulnerability, because malicious files could be distributed among users who collaborate in an application or process.
Do we know if there will be any improvements in this regard in future versions? I've not found more documention about this topic
Pegasystems Inc.
GB
@ElisabelR ⚠ This is a GenAI-powered tool. All generated answers require validation against the provided references.
Below the most up-to-date information.
Current File Upload Security Features
Currently, Pega provides several security features for file uploads, centered around the CallVirusCheck activity you mentioned. The existing security mechanisms include:
- The ability to use virus checkers to scan uploaded files
- File type restrictions through rules in the SetAttachmentProperties activity
- Setting XML/AllowDocTypes dynamic system setting to false
- In Pega Cloud environments, built-in anti-virus capabilities automatically quarantine files flagged as potential malware
Planned Developments
After researching through the available Pega documentation and resources, I couldn't find specific information about planned developments or improvements regarding minimum control policies for file uploads in upcoming versions. The current approach still relies on custom implementation of security controls rather than having a default minimum security policy as you suggested.
You're absolutely right that this represents a security vulnerability concern. Without a default minimum control policy, malicious files could indeed be distributed among users who collaborate in applications or processes if proper security measures aren't explicitly configured.
@ElisabelR ⚠ This is a GenAI-powered tool. All generated answers require validation against the provided references.
Below the most up-to-date information.
Current File Upload Security Features
Currently, Pega provides several security features for file uploads, centered around the CallVirusCheck activity you mentioned. The existing security mechanisms include:
- The ability to use virus checkers to scan uploaded files
- File type restrictions through rules in the SetAttachmentProperties activity
- Setting XML/AllowDocTypes dynamic system setting to false
- In Pega Cloud environments, built-in anti-virus capabilities automatically quarantine files flagged as potential malware
Planned Developments
After researching through the available Pega documentation and resources, I couldn't find specific information about planned developments or improvements regarding minimum control policies for file uploads in upcoming versions. The current approach still relies on custom implementation of security controls rather than having a default minimum security policy as you suggested.
You're absolutely right that this represents a security vulnerability concern. Without a default minimum control policy, malicious files could indeed be distributed among users who collaborate in applications or processes if proper security measures aren't explicitly configured.
Current Best Practices
In the absence of a default security policy, here are the current recommended approaches for securing file uploads:
- Implement Virus Checking: Use and regularly update a virus checker through the CallVirusCheck activity customization
- Restrict File Types: Add a When rule or decision table to the SetAttachmentProperties activity to evaluate whether document types are allowed
- Configure System Settings: Ensure XML/AllowDocTypes is set to false to limit the document types that can be uploaded
- Apply Additional Validation: Implement file size limits and other validation measures as part of your application's security strategy
Industry Security Standards
Looking at broader industry practices for file upload security, enterprise applications typically implement:
- Content Disarm and Reconstruction (CDR) to neutralize potentially malicious content
- Server-side validation beyond just checking file extensions
- Regular vulnerability assessments specifically targeting file upload functionality
- User education about safe upload practices
Moving Forward
Given the absence of specific information about planned improvements, you might consider:
- Creating an internal best practices document for implementing file upload security controls across your applications
- Implementing a standard security configuration that can be applied as a baseline to all applications
- Performing security assessments specifically targeting file upload functionality in critical applications
References:
- Security Checklist when deploying on Pega Cloud
- Security Checklist when deploying in on-premises environments
- Anti-virus on Pega Cloud