.png){kind=logo}
Introduction
A commonly raised finding in Vulnerability Assessment Tests is CWE-434 (Unrestricted Upload of File with Dangerous Type). With File Type Checker, it is now possible to address this security best practice by configuring the list of file extensions allowed or denied.
Whenever a file is uploaded to a Jira work item, File Type Checker will check the attachment’s file type against the configured list of allowed/denied extensions. If the file type is not authorised, File Type Checker will post a comment to alert the user to remove the file.
Steps
-
From the top menu bar, go to Settings > Apps
-
Look for File Type Checker under Apps section on the left sidebar
-
Click the Edit Settings button
-
It is possible to configure
-
Click the Save button to update the settings.
Configuration Settings
|
Setting |
Description |
|---|---|
|
Filter Mode |
|
|
File Extensions |
A comma delimited list of file extensions |
|
Always allow files without extension |
If this is checked, files without any extensions are allowed |
|
Error Message |
A customizable error message that will be added as comment whenever an unauthorised file is uploaded |
Recommendations
We recommend using AllowList mode with the following file types
|
Setting |
Recommendation |
Remarks |
|---|---|---|
|
Filter Mode |
Allowlist |
We only want to allow file types that we allow explicitly |
|
File Extensions |
|
This is our recommended list for Internet facing service desks. You can also run the Attachment Report to check out what are the commonly used file types. You can check out Which file types are safe for Jira for the list of common file types. |
|
Error Message |
Sorry. The file type you uploaded is not allowed due to the security policy. |
|