How to validate/handle file upload for filename contain double extension?

A file as you describe will have two period characters in its filename so you can simply validate that the filename can only have one period character in it.

A file as you describe will have two period characters in its filename so you can simply validate that the filename can only have one period character in it.

Thank you Stewart Burchell,

Could you please suggest some sample validation code, so that i may try to check once.

Regards,
Sandeep

len(cleanwith("FileUploadBypass.php%00.xlsx", ".")) > 1

Thank Stefan,

As a part of VA testing, testers are using below API to upload the file using third party tool.

URL is: suite/api/tempo/file?validateExtension=true

Method: POST
In the request Body they are passing the file with double extension "FileUploadBypass.php%00.xlsx"

Please suggest, is there any way to block upload of double extension file from OOTB file upload api mentioned above.

Please note: We are using 21.4 version of Appian.

Sure. The only problem here is, that you cannot decide whether the file is stored or not. This means, that in case everything is good, just return a 201 HTTP status code. If the file is not good, you need to actively delete the document using a!deleteDocument().

Hi Stefan,

This API is not created by us. It is present in Appian as OOTB functionality to upload file.
Testers are trying to use this API as part of Vulnerability Assessment (VA) testing to find out if Appian is allowing upload of double extension file.

We will not have any control over this API.

Just like we have an option to whitelist file extensions in admin console for file upload, do we have any option to reject upload of double extension files (Uploaded via OOTB file upload API)?

There is a file upload API in Appian !?!?!

I suggest to contact Appian to discuss any "features" of built-in functionality.

Thank you Stefan,
As of now we have opened Appian support ticket to discuss further on this.

Regards,
Sandeep