You are not logged in. Click here to log in.

codeBeamer Application Lifecycle Management (ALM)

Search In Project

Search inClear

Tags:  not added yet
When you upload an HTML or SVG file to codeBeamer that may/can contain malicious javascripts or other potential XSS attacks.

Since codeBeamer 8.0 such files can not be uploaded to codeBeamer as attachments. If you try to upload an SVG file you will see that file is being rejected:

By default codeBeamer 8.0 prevents uploading HTML and SVG files.

Because the default settings might be unwanted for some customers this is configurable, so they can turn this off or use different rules. The rules are globally applied for codeBeamer: all projects will use the same rules.

The default configuration looks like this, and it prevents uploading SVG and HTML files by checking their mime-types.

	<!-- rules which kind of files can be uploaded ? -->
	<uploads>
		<filter orderAllowDeny="false">
			<!-- deny SVG and HTML files -->
			<!-- you could use denyMimeRegexp too -->
			<denyMime>image/svg+xml</denyMime>
			<denyMime>text/html</denyMime>
			<allowMimeRegexp>.*</allowMimeRegexp>
		</filter>
	</uploads>

These upload-filter rules use the similar Allow/Deny rules of what is used in Apache Web Server to configure access to certain resources.

What happens here is:

  • During the upload the system computes the mime-type of the uploaded file. Mime-type is a kind of abstraction which tells the browser or the system how to handle a file with some certain extension. For example the "apple.html" and "apple.htm" both are HTML files and they have "text/html" mime-type defined.
  • The orderAllowDeny boolean setting defines if the first the "Deny" or first the "Allow" rules are evaluated. The orderAllowDeny="true" means "Allow/Deny" so first the "allow" rules are evaluated then the "deny" rules. The "false" means the opposite order.
  • You can have the following rules inside the "filter" tag:
    • <allowMime>value</allowMime> : Allows file-upload if the mime-type is same as the value provided
    • <allowMimeRegexp>value</allowMimeRegexp> : Allows file-upload if the mime-type is matching with the Regular Expression provided
    • <denyMime>value</denyMime> : Denies file-upload if the mime-type is same as the value provided
    • <denyMimeRegexp>value</denyMimeRegexp> : Denies file-upload if the mime-type is matching with the Regular Expression provided

So finally the uploaded file's mime-type is checked against the rules, and if the rules does not allow the upload then the file will be rejected.