How to validate/handle file upload for filename contain double extension?

Hi All,

We have observation from our VA testing team, that while uploading file it should not contain double extension like as shown below:

FileUploadBypass.php%00.xlsx

Currently Appian is allowing to upload the file in to application because of extension .xlsx but VA testing team suggested us to file name should not contain double extension.

Any suggestions on this, how to validate this kind of observation?

Regards,
Sandeep

  Discussion posts and replies are publicly visible

Parents Reply
  • Hi Stefan,

    This API is not created by us. It is present in Appian as OOTB functionality to upload file.
    Testers are trying to use this API as part of Vulnerability Assessment (VA) testing to find out if Appian is allowing upload of double extension file.

    We will not have any control over this API.

    Just like we have an option to whitelist file extensions in admin console for file upload, do we have any option to reject upload of double extension files (Uploaded via OOTB file upload API)?

Children