Which file types are safe for Jira
Introduction
A common question for Attachment Checker users is what are the file types are safe to be uploaded.
We wrote this KB article to help
Consideration Criteria
Here are some questions to ask yourself
Whether the file type can execute malicious logic
Whether the file type can be a carrier of viruses or malicious files
Whether the file type is a commonly used and can be used in future
Whether the file type take up a lot of disk space
Our Recommendations
Through our years of using Jira/Confluence, we recommend to set the allowlist with the minimal set of file types below.
You can refine the list based on the profile of your end users.
You can use this list in the Attachment Checker’s AllowList configuration.
jpg,png,gif,svg,ai,eps,psd,tif,xcf,doc,docx,xls,xlsx,ppt,pptx,dotx,xltx,potx,pdf,key,csv,log,sql,txt,html,xml,mov,mp4,m4v
Commonly Used File Types
Safe File Types
Those in green are in our recommended list
Type | Extensions | Remarks |
---|---|---|
Common used Images | gif, jpg, png, svg | We don’t recommend to allow BMP because it takes a lot of space |
Other images | ai, eps, psd, tif, xcf | These are file formats used by popular image editors |
Microsoft Office Documents | doc, docx, xls, xlsx, ppt, pptx | |
Microsoft Office Document Templates | dot, dotx, pot, potx, xlt, xltx | Only include them if you need to store the template files |
OpenOffice Documents | ods, odp, odt | |
OpenOffice Document Templates | odt | |
Other Document Types | key, pdf, rtf, tex, xps, vss | |
Text Files | csv, log, sql, txt | |
Multimedia (Audio) | wav, wma, mp3 | |
Multimedia (Videos) | mov, mpg, mp4, m4v, qt, wmv | Potentially used for screen recording |
Web | htm, html, xml |
Dangerous File Types
This is not an exhaustive list of dangerous. We only list some of them as examples to explain the risks.
Hence we recommend to use the AllowList mode.
Types | Example Extensions | Remarks |
---|---|---|
Executables | com, exe, pif, msi, scr, cpl, msc, bin | It is possible to include malicious logic or put viruses in the executables |
Scripts | bat, py, wsf, cmd, ps1 | Double clicking on the batch script can execute the script on Windows |
Macro | docm, dotm, xlsm, xltm, xlam, pptm, potmxlsm | It is possible to add malicious logic in macros. There are also some macro viruses around |
Compressed files | gz, zip, tar, 7z, arj, rar | It is possible to compress the malicious files in the archives. Hence we included them in this category |
msg, eml, pst | Likewise, it is possible to attach malicious file types within the email |
References
https://www.howtogeek.com/137270/50-file-extensions-that-are-potentially-dangerous-on-windows/
https://blog.filestack.com/thoughts-and-knowledge/document-file-extensions-list/
https://www.howtogeek.com/171993/macros-explained-why-microsoft-office-files-can-be-dangerous/
Javascript