File Uploads in Digital Processes
    • PDF

    File Uploads in Digital Processes

    • PDF

    Article summary

    Article Overview

    The following article describes different ways to defend against attacks that can occur due to the fact that end-users can upload files to a digital process

    Background

    Allowing users to upload files to a digital process is a very common use-case. However, files that are uploaded can also potentially be exploited by attackers.

    Defence Levels

    The following sections describe EasySend different defence levels. 

    Level 1 - Restricting File Size

    Uploading large files to a digital process might cause issues. To prevent this, by default, the EasySend platform utilizes two server-side global validations: 

    • enforceMaxAttachmentSize - limits the size of a single uploaded file - to 5MB.
    • enforceTotalMaxAttachmentSize - limits the size of combined uploaded files - to 30MB.
    NOTE
    If you want to change the limitation form 5MB and/or 30MB, please contact our support team.

    Level 2 - Restricting File Types

    For security reasons, the EasySend platform prevents some file types from being uploaded. Player servers with a version of 20.22.0 and above will automatically restrict file uploads by setting an allowed media-type list. Whenever a file upload is attempted , a media-type check is performed on the server-side, and file type is compared against the allowed list.

    Allowed list:

    image/png,image/gif,image/jpeg,text/plain,application/pdf,application/msword,application/vnd.openxmlformats-
    officedocument.wordprocessingml.document,application/vnd.ms-excel,application/vnd.openxmlformats-
    officedocument.spreadsheetml.sheet,video/mp4,video/x-msvideo,video/3gpp,video/quicktime,video/x-ms-
    wmv,audio/mpeg,audio/mp4,audio/mpeg,application/ogg,image/heic
    NOTE
    For additional information about the Media-allow list, please contact our support team.

    A Builder user can also use the Properties section of the Upload component to restrict the types of files eligible for upload. For example, in Figure 1 the component's (1) property Accept File Types (2) is configured to allow to upload only image files - .png and .jpg (3). 

    Figure 1: Accept File Types Property

    Level 3 - Integrating a 3rd Party Virus-Scanning API 

    Even when restricting file types to non-executables, some vulnerabilities might still apply. For example, a PDF file might be embedded with a virus.

    To mitigate similar scenarios, an EasySend implementor can integrate the digital process with a 3rd party virus-scanning API, from your organization or external such as OPSWAT, using the Services screen and a Rest API step. In this case, when a digital process is submitted, before a file is being uploaded to a CRM/API, a 3rd party API will receive it and make sure that it passes as clean.

    NOTE
    For additional information about integrating a 3rd Party virus-scanning API, please contact our support team.

    Was this article helpful?