Configuring Allowed or Blocked File Types

Introduction

A commonly raised finding in Vulnerability Assessment Tests is CWE-434 (Unrestricted Upload of File with Dangerous Type). With File Type Checker, it is now possible to address this security best practice by configuring the list of file extensions allowed or denied.

Whenever a file is uploaded to a Jira work item, File Type Checker will check the attachment’s file type against the configured list of allowed/denied extensions. If the file type is not authorised, File Type Checker will post a comment to alert the user to remove the file.

Steps

From the top menu bar, go to Settings > Apps
Look for File Type Checker under Apps section on the left sidebar
Click the Edit Settings button
It is possible to configure

Click the Save button to update the settings.

Configuration Settings

Setting	Description
Filter Mode	If Allowlist mode is selected, only those extensions specified are allowed. If Denylist mode is selected, all extensions except those specified are allowed.
File Extensions	A comma delimited list of file extensions
Always allow files without extension	If this is checked, files without any extensions are allowed
Error Message	A customizable error message that will be added as comment whenever an unauthorised file is uploaded

Recommendations

We recommend using AllowList mode with the following file types

Setting

Recommendation

Remarks

Filter Mode

Allowlist

We only want to allow file types that we allow explicitly

File Extensions

jpg,png,gif,docx,xlsx,pptx,pdf,key,csv,log,doc,txt,html,xml,mov,mp4,zip,jar

This is our recommended list for Internet facing service desks.

You can also run the Attachment Report to check out what are the commonly used file types.

You can check out Which file types are safe for Jirafor the list of common file types.

Error Message

Sorry. The file type you uploaded is not allowed due to the security policy.