Restrict renaming of attachments using FileApiService

Dear community,

Using FileApiService, we are able to rename the attachment. This posses a challenge because an attacker can upload any malicious file, even though we have a logic to allow only certain file types to get uploaded.

 

For example, ABC.bat can be renamed as ABC.txt. After uploading this file, the attacker can change the name of file to ABC.bat.

 

We have locked the fields of attchment detail on UI, but it is not much of help if the file is renamed through FileApiService.

 

Any method to restrict renaming using this API would be appreciated.

 

Thanks

 

Like 0

Like

4 comments

Hello Shivani,

 

Unfortunately, there are no methods available that can restrict file renaming. But we are planning to release the filter that will check the file extension directly from the file and not from its name. As a result, there won't be a possibility of changing the filly type by means of renaming.

We will post that information in Release Notes as soon as the feature will be added to the product.

 

Best regards,

Bogdan

Bogdan Spasibov,

 

Thanks Bogdan. Also now that you have mentioned about using file signatures (please correct me if I am wrong), I am curious to know how text and csv files can be checked. The challenge we have with our custom logic to allow only 'whitelisted' file types is that csv and txt files do not have file sigfnatures. Is there a way to verify that the attached file is really csv or txt and not a disguise?

 

Thanks

Shivani Lakshman,

 

We confirmed the information with R&D regarding your request and unfortunately, it's not possible to verify the real extension of the file if it is not specified in the file signature. In this case, the application checks the extension.

 

Best regards,

Bogdan S.

Bogdan Spasibov,

Thanks Bogdan. A possible solution would be to restrict file name change. Once file is uploaded, name change can be prohibited. Hence, a file ABC.bat that has been renamed to ABC.txt to pass filter, can never be renamed to ABC.bat :)

Show all comments