[DidYouKnow - 22] Support for whitelisting/blacklisting attachments with certain file extensions
Hello folks,
With ServiceDesk Plus build 10009, we introduced a new attachment whitelist/blacklist feature.
This helps restrict users from uploading vulnerable files to the application by blacklisting them based on file properties such as file extension or file content type.
As you know, attachments can be uploaded various modules say request, change, solution, assets, problem and so on.
When a user tries to upload a blacklisted file content type, it fails with a warning message as in the below screenshot.
Similarly, when an email is sent with a blacklisted file type, the attachment will be dropped and the request will be processed without attachment.
Steps to enable this,
You can perform these operations by passing database queries.
Parameters to support the functionality:
BlackList_Or_WhiteList - Parameter to choose whether to block or allow files of selected criteria to be uploaded to the application
FileExtensions - Parameter that holds comma-separated values of file extensions
FileContent Types - Parameter to holds comma-separated values of file content types
Sample queries to update values for FileExtensions and FileContentTypes:
update attachmentconfig set paramvalue = 'png,jpeg,gif,bmp' where parameter = 'FileExtensions';
(Replace png, jpeg, gif, bmp with different extensions as per your requirements.)
update attachmentconfig set paramvalue = 'image/png,image/jpeg,text/plain' where parameter = 'FileContentTypes';
(Replace image/png, image/jpeg, text/plain with different content types per your requirements.)
The BlackList_Or_WhiteList parameter is set to BLACKLIST by default. You can switch the option to Whitelist by using the following query:
update attachmentconfig set paramvalue = 'WHITELIST' where parameter = 'BlackList_Or_WhiteList';
You can also allow only specific files to be uploaded by whitelisting them.
NOTE: We strongly recommend you to take an application backup prior to enabling this feature. Refer to this article for the instructions to take a manual backup.