You are not logged in. Click here to log in.

codebeamer Application Lifecycle Management (ALM)
Login
 Projects
 Wiki
Last ModifiedRecently Visited Items
Search In Project
Search inClear
anonymous
[WIKIPAGE-1595265] Configuring which files can be uploaded to codeBeamer
Tags:  not added yet

Configuring which files can be uploaded to codeBeamer

When you upload an HTML or SVG file to codeBeamer that may/can contain malicious javascripts or other potential XSS attacks.

Since codeBeamer 8.0 such files can not be uploaded to codeBeamer as attachments. If you try to upload an SVG file you will see that file is being rejected:

By default codeBeamer 8.0 prevents uploading HTML and SVG files.

As the default settings might be unwanted for some customers, this is configurable, so that this can be turned off or managed with different rules. The rules are globally applied for codeBeamer: all projects will use the same rules. This is configurable on the Application Configuration page.

The default configuration looks like this, and it prevents uploading SVG and HTML files by checking their mime-types. 

  // rules which kind of files can be uploaded ?
  "uploads" : {
    "filter" : {
      "orderAllowDeny" : false,
      "denyMime" : [ "image/svg+xml","text/html", "text/docx" ],
      "allowMimeRegexp" : [".*"]
    }
  }

These upload-filter rules use the similar Allow/Deny rules of what is used in Apache Web Server to configure access to certain resources.

What happens here is:

  • During the upload the system computes the mime-type of the uploaded file. Mime-type is a kind of abstraction which tells the browser or the system how to handle a file with some certain extension. For example the "apple.html" and "apple.htm" both are HTML files and they have "text/html" mime-type defined.
  • The orderAllowDeny boolean setting defines if the first the "Deny" or first the "Allow" rules are evaluated. The orderAllowDeny="true" means "Allow/Deny" so first the "allow" rules are evaluated then the "deny" rules. The "false" means the opposite order.
  • You can have the following rules inside the "filter" tag:
    • <allowMime>value</allowMime> : Allows file-upload if the mime-type is same as the value provided
    • <allowMimeRegexp>value</allowMimeRegexp> : Allows file-upload if the mime-type is matching with the Regular Expression provided
    • <denyMime>value</denyMime> : Denies file-upload if the mime-type is same as the value provided
    • <denyMimeRegexp>value</denyMimeRegexp> : Denies file-upload if the mime-type is matching with the Regular Expression provided

So finally the uploaded file's mime-type is checked against the rules, and if the rules does not allow the upload then the file will be rejected.
Fast Links

codebeamer Overview
What is new?
How-to videos

codebeamer Knowledge Base
User's Guide (user manual)
Administrator's Guide
Installation Guide
Developer's Guide
Localization Guide

Services by Intland Software
Product Support
Consulting
Training

Integrations