Contents x
    File Uploads in Digital Processes
      • PDF
      Contents

      File Uploads in Digital Processes

        • PDF
        Article Summary

        Article Overview

        The following article describes different ways to defend against attacks that can occur due to the fact that end-users can upload files to a digital process

        Background

        Allowing users to upload files to a digital process is a very common use-case. However, files that are uploaded can also potentially be exploited by attackers.

        Defence Levels

        The following sections describe EasySend different defence levels. 

        Level 1 - Restricting File Size

        Uploading large files to a digital process might cause issues. To prevent this, by default, the EasySend platform utilizes two server-side global validations: 

        • enforceMaxAttachmentSize - limits the size of a single uploaded file - to 5MB.
        • enforceTotalMaxAttachmentSize - limits the size of combined uploaded files - to 30MB.
        NOTE
        If you want to change the limitation form 5MB and/or 30MB, please contact our support team.

        Level 2 - Restricting File Types

        For security reasons, the EasySend platform prevents some file types from being uploaded. Player servers with a version of 20.22.0 and above will automatically restrict file uploads by setting an allowed media-type list. Whenever a file upload is attempted , a media-type check is performed on the server-side, and file type is compared against the allowed list.

        Allowed list example:

        image/png,image/gif,image/jpeg,text/plain,application/pdf,application/msword
        NOTE
        In any case, the EasySend platform does not allowed to upload executables. 
        NOTE
        For additional information about the Media-allow list, please contact our support team.

        A Builder user can also use the Properties section of the Upload component to restrict the types of files eligible for upload. For example, in Figure 1 the component's (1) property Accept File Types (2) is configured to allow to upload only image files - .png and .jpg (3). 

        Figure 1: Accept File Types Property

        Level 3 - Integrating a 3rd Party Virus-Scanning API 

        Even when restricting file types to non-executables, some vulnerabilities might still apply. For example, a PDF file might be embedded with a virus.

        To mitigate similar scenarios, an EasySend implementor can integrate the digital process with a 3rd party virus-scanning API, from your organization or external such as OPSWAT, using the Services screen and a Rest API step. In this case, when a digital process is submitted, before a file is being uploaded to a CRM/API, a 3rd party API will receive it and make sure that it passes as clean.

        NOTE
        For additional information about integrating a 3rd Party virus-scanning API, please contact our support team.
        Was this article helpful?
        What's Next

        Can’t find what you’re looking for?

        Let us know what you need and we'll help you as soon as possible.

        Contact support