Problem statement: I have a requirement wherein we receive file in Appian from a third party system. For security reasons we want to restrict only few file extension.
I have created a WEB API using a ' Document Upload' Template , so that external systems can push documents to Appian.
I want to return error code in response when some hits this WEB API and upload files with extension other than .xlsx.
I have used document(http!request.body, "extension"), however this does not restrict document to be added to target folder.
Is it possible that , WEB API returning error code and not even allowing files with specific extension to be added to target folder.
Discussion posts and replies are publicly visible
The file itself is uploaded and stored in the target folder before the API code is executed. I think this is what you are seeing.
Why not just start a process which checks the extension and deletes the file if it is the wrong one. If you enable some chaining, you can return values from the process to the API and return appropriate messages.
Stefan Helzle Main concern is that there exists vulnerability, the API is vulnerable to unrestricted file upload. The API allows to upload file and even if someone sends .exe executable file , then also WEBAPI which created at Appian allows the document to be stored in target folder. Can we restrict this before hand??
A file by itself is no security threat. AFAIK this kind of restriction is not supported. My clients typically put some kind of API management in from of Appian in which we implement this kind of restrictions.