Security Checks for the File upload
We have a requirement to upload a file with 50K records and process the file for further processing with in Pega. And we don't want to load all these 50K records on to a clipboard page and process them in the same user thread/context.
In order to accept the file and process it we want to implement a new landing page and provide an option for users to upload the file using the "File Path" control. By default, this control would place the file in the Service Export directory.
This is different from the other file controls that we use in the case context using the attachment/drag and drop where the
I would like to understand
1. What sort of security checks are already covered by Pega by default while moving the file to the server folder?
2. How do we enable the additional security checks such as file type restrictions before we place the file to the service export directory?
CVS
US
@KC_Janga we used file path and we extended the pzUploadFileExtension Data transform to add additional checks like file type, size etc. we didn't do any security checks.
Evonsys
IN
Steps to Restrict File Types
-
Create a When Rule:
- Go to Records > Decision > When.
- Create a new When rule, for example,
IsAllowedFileType. - In the When rule, add conditions to check the file extension. For example:
@String.contains(.pyFileName, ".csv") || @String.contains(.pyFileName, ".txt") - This condition allows only
.csvand.txtfiles.
-
Modify the SetAttachmentProperties Activity:
- Open the
SetAttachmentPropertiesactivity. - Add a step before the file is saved to check the When rule.
- Use the
Property-Set-Messagemethod to set an error message if the file type is not allowed.
Here’s an example of how you can add this step:
Step: 2 Method: When When: IsAllowedFileType Description: Check if the file type is allowed Step: 3 Method: Property-Set-Message When: !IsAllowedFileType Description: Set error message if file type is not allowed Message: "File type not allowed. Please upload a .csv or .txt file." - Open the
-
Test the Implementation:
Steps to Restrict File Types
-
Create a When Rule:
- Go to Records > Decision > When.
- Create a new When rule, for example,
IsAllowedFileType. - In the When rule, add conditions to check the file extension. For example:
@String.contains(.pyFileName, ".csv") || @String.contains(.pyFileName, ".txt") - This condition allows only
.csvand.txtfiles.
-
Modify the SetAttachmentProperties Activity:
- Open the
SetAttachmentPropertiesactivity. - Add a step before the file is saved to check the When rule.
- Use the
Property-Set-Messagemethod to set an error message if the file type is not allowed.
Here’s an example of how you can add this step:
Step: 2 Method: When When: IsAllowedFileType Description: Check if the file type is allowed Step: 3 Method: Property-Set-Message When: !IsAllowedFileType Description: Set error message if file type is not allowed Message: "File type not allowed. Please upload a .csv or .txt file." - Open the
-
Test the Implementation:
- Upload files with different extensions to ensure that only
.csvand.txtfiles are accepted.
- Upload files with different extensions to ensure that only
Example When Rule Configuration
When Rule: IsAllowedFileType
Condition: @String.contains(.pyFileName, ".csv") || @String.contains(.pyFileName, ".txt")
Example Activity Step Configuration
Step 2:
Method: When
When: IsAllowedFileType
Description: Check if the file type is allowed
Step 3:
Method: Property-Set-Message
When: !IsAllowedFileType
Description: Set error message if file type is not allowed
Message: "File type not allowed. Please upload a .csv or .txt file."
This setup ensures that only files with the specified extensions are allowed to be uploaded, enhancing the security of your application.