Problem statement: I have a requirement wherein we receive file in Appian from a third party system. For security reasons we want to restrict only few file extension.
I have created a WEB API using a ' Document Upload' Template , so that external systems can push documents to Appian.
I want to return error code in response when some hits this WEB API and upload files with extension other than .xlsx.
I have used document(http!request.body, "extension"), however this does not restrict document to be added to target folder.
Is it possible that , WEB API returning error code and not even allowing files with specific extension to be added to target folder.
Discussion posts and replies are publicly visible
The file itself is uploaded and stored in the target folder before the API code is executed. I think this is what you are seeing.
Why not just start a process which checks the extension and deletes the file if it is the wrong one. If you enable some chaining, you can return values from the process to the API and return appropriate messages.
Stefan Helzle Main concern is that there exists vulnerability, the API is vulnerable to unrestricted file upload. The API allows to upload file and even if someone sends .exe executable file , then also WEBAPI which created at Appian allows the document to be stored in target folder. Can we restrict this before hand??
A file by itself is no security threat. AFAIK this kind of restriction is not supported. My clients typically put some kind of API management in from of Appian in which we implement this kind of restrictions.
There is no way to restrict it as of now (still we can show validation error as a response) . Appian converts binary file request to appian document immediately when the external system hits Api . One solution for this is you can create a scheduler to delete unnesasary documents which will run daily or weekly