Hi All,
We have observation from our VA testing team, that while uploading file it should not contain double extension like as shown below:
FileUploadBypass.php%00.xlsx
Currently Appian is allowing to upload the file in to application because of extension .xlsx but VA testing team suggested us to file name should not contain double extension.
Any suggestions on this, how to validate this kind of observation?
Regards,Sandeep
Discussion posts and replies are publicly visible
A file as you describe will have two period characters in its filename so you can simply validate that the filename can only have one period character in it.
Thank you Stewart Burchell,
Could you please suggest some sample validation code, so that i may try to check once.
len(cleanwith("FileUploadBypass.php%00.xlsx", ".")) > 1
Thank Stefan,
As a part of VA testing, testers are using below API to upload the file using third party tool.
URL is: suite/api/tempo/file?validateExtension=true
Method: POSTIn the request Body they are passing the file with double extension "FileUploadBypass.php%00.xlsx"
Please suggest, is there any way to block upload of double extension file from OOTB file upload api mentioned above.
Please note: We are using 21.4 version of Appian.
Sure. The only problem here is, that you cannot decide whether the file is stored or not. This means, that in case everything is good, just return a 201 HTTP status code. If the file is not good, you need to actively delete the document using a!deleteDocument().
Hi Stefan,
This API is not created by us. It is present in Appian as OOTB functionality to upload file.Testers are trying to use this API as part of Vulnerability Assessment (VA) testing to find out if Appian is allowing upload of double extension file.
We will not have any control over this API.
Just like we have an option to whitelist file extensions in admin console for file upload, do we have any option to reject upload of double extension files (Uploaded via OOTB file upload API)?
There is a file upload API in Appian !?!?!
I suggest to contact Appian to discuss any "features" of built-in functionality.
Thank you Stefan,As of now we have opened Appian support ticket to discuss further on this.