How to validate/handle file upload for filename contain double extension?

RE: How to validate/handle file upload for filename contain double extension?

Sandeep — Wed, 13 Sep 2023 10:36:36 GMT

Thank you Mathieu Drouin,
On UI at a!fileUploadField() we have put the given validation.

Regards,
Sandeep

RE: How to validate/handle file upload for filename contain double extension?

Sandeep — Wed, 13 Sep 2023 10:13:36 GMT

Thank you Stefan,
As of now we have opened Appian support ticket to discuss further on this.

Regards,
Sandeep

RE: How to validate/handle file upload for filename contain double extension?

Stefan Helzle — Mon, 11 Sep 2023 13:55:08 GMT

There is a file upload API in Appian !?!?!

I suggest to contact Appian to discuss any "features" of built-in functionality.

RE: How to validate/handle file upload for filename contain double extension?

Sandeep — Mon, 11 Sep 2023 12:38:14 GMT

Hi Stefan,

This API is not created by us. It is present in Appian as OOTB functionality to upload file.
Testers are trying to use this API as part of Vulnerability Assessment (VA) testing to find out if Appian is allowing upload of double extension file.

We will not have any control over this API.

Just like we have an option to whitelist file extensions in admin console for file upload, do we have any option to reject upload of double extension files (Uploaded via OOTB file upload API)?

RE: How to validate/handle file upload for filename contain double extension?

Stefan Helzle — Mon, 11 Sep 2023 12:09:03 GMT

Sure. The only problem here is, that you cannot decide whether the file is stored or not. This means, that in case everything is good, just return a 201 HTTP status code. If the file is not good, you need to actively delete the document using a!deleteDocument().

RE: How to validate/handle file upload for filename contain double extension?

Mathieu Drouin — Mon, 11 Sep 2023 12:03:57 GMT

I asked ChatGPT to create a Regex. Haven't had time to extensively test it but it's a starting point.

a!localVariables(
  local!pattern: "^(?=.*\.[^.]+)(?!(?:.*\.[^.]+){2}).*$",
  regexmatch(
    local!pattern,
    "FileUploadBypass.php%00.xlsx"
  )
)

RE: How to validate/handle file upload for filename contain double extension?

Sandeep — Mon, 11 Sep 2023 11:56:04 GMT

Thank Stefan,

As a part of VA testing, testers are using below API to upload the file using third party tool.

URL is: suite/api/tempo/file?validateExtension=true

Method: POST
In the request Body they are passing the file with double extension "FileUploadBypass.php%00.xlsx"

Please suggest, is there any way to block upload of double extension file from OOTB file upload api mentioned above.

Please note: We are using 21.4 version of Appian.

RE: How to validate/handle file upload for filename contain double extension?

Stefan Helzle — Mon, 11 Sep 2023 11:10:37 GMT

len(cleanwith("FileUploadBypass.php%00.xlsx", ".")) > 1

RE: How to validate/handle file upload for filename contain double extension?

Sandeep — Mon, 11 Sep 2023 10:57:44 GMT

Thank you Stewart Burchell,

Could you please suggest some sample validation code, so that i may try to check once.

Regards,
Sandeep

RE: How to validate/handle file upload for filename contain double extension?

Stewart Burchell — Mon, 11 Sep 2023 10:35:31 GMT

A file as you describe will have two period characters in its filename so you can simply validate that the filename can only have one period character in it.