Contents x
    File Uploads in Digital Processes
      • PDF
      Contents

      File Uploads in Digital Processes

        • PDF
        Article summary

        Article Overview

        The following article describes different ways to defend against attacks that can occur because end-users can upload files to a digital process.

        Background

        Allowing users to upload files to a digital process is a very common use case. However, uploaded files can also potentially be exploited by attackers.

        Defense Levels

        The following sections describe EasySend's different defense levels. 

        Level 1 - Restricting File Size

        Uploading large files to a digital process might cause issues. To prevent this, by default, the EasySend platform utilizes two server-side global validations: 

        • enforceMaxAttachmentSize - limits the size of a single uploaded file - to 5MB.
        • enforceTotalMaxAttachmentSize - limits the size of combined uploaded files - to 30MB.
        NOTE
        If you want to change the limitation from 5MB and/or 30MB, please contact our support team.

        Level 2 - Restricting File Types

        The EasySend platform prevents some file types from being uploaded for security reasons. Player servers with 20.22.0 and above will automatically restrict file uploads by setting an allowed media-type list. Whenever a file upload is attempted, a media-type check is performed on the server side, and the file type is compared against the allowed list.

        Allowed list:

        image/png,image/gif,
image/jpeg,text/plain,
application/pdf,
application/msword,
application/vnd.openxmlformats-
officedocument.wordprocessingml.document
,application/vnd.ms-excel
,application/vnd.openxmlformats-
officedocument.spreadsheetml.sheet,
video/mp4,video/x-msvideo,
video/3gpp,video/quicktime,video/x-ms-
wmv,audio/mpeg,audio/mp4,
audio/mpeg,application/ogg,image/heic
        NOTE
        For additional information about the Media-allow list, please contact our support team.

        A Builder user can also use the Properties section of the Upload component to restrict the types of files eligible for upload. For example, in Figure 1 the component's (1) property Accept File Types (2) is configured to allow to upload only image files - .png and .jpg (3). 

        Figure 1: Accept File Types Property

        Level 3 - Integrating a 3rd Party Virus-Scanning API 

        Even when restricting file types to non-executables, some vulnerabilities might still apply. For example, a PDF file might be embedded with a virus.

        To mitigate similar scenarios, an EasySend implementor can integrate the digital process with a 3rd party virus-scanning API, from your organization or external such as OPSWAT, using the Services screen and a Rest API step. In this case, when a digital process is submitted before a file is uploaded to a CRM/API, a 3rd party API will receive it and make sure that it passes as clean.

        NOTE
        For additional information about integrating a 3rd Party virus-scanning API, please contact our support team.
        Was this article helpful?
        What's Next

        Can’t find what you’re looking for?

        Let us know what you need and we'll help you as soon as possible.

        Contact support