Sales Creatio, commerce edition
PDF
This documentation is valid for Creatio version 7.16.0. We recommend using the newest version of Creatio documentation.

Secure file upload

You can restrict the processing of certain types of files in Creatio. The security restrictions apply to both the users and integrations, such as third-party web services.

If you enable the secure file upload, Creatio will check the type of each file before processing (e.g., uploading via the [Attachments and notes] detail). If the file type is restricted, the file will not be uploaded, and the user will receive a notification that the processing of the file is denied due to security reasons. The security restrictions do not apply retroactively to the files that have been added to Creatio earlier.

Creatio checks file restrictions when uploading new files. Any user with sufficient permissions can download an already uploaded file of a restricted type.

There are several file security modes:

  • AllowList (“whitelist”) of file extensions. Creatio processes only files whose extensions are specified in the whitelist.

  • DenyList (“blacklist”) of file extensions. Creatio processes any files whose extensions are not specified in the blacklist.

  • Unknown file types are restricted. Allow or disallow uploading files without an extension when the type of the file cannot be determined by its content.

System administrators manage file restrictions. The general procedure for setting up secure file upload is as follows:

1.Select the preferable file security mode for uploading files.

2.Set up the file extensions allow list or deny list.

3.Define Creatio behavior upon uploading a file of an unknown type.

4.Set up security exceptions for web services if required.

Select file security mode

1.Click btn_system_designer.png to open the System Designer.

2.Open the [System settings] section.

3.Open the [File Security Mode] (FileSecurityMode) system setting.

4.Select the file security mode in the [Default value] field:

Disable file security” – permit uploading files with any extension.

File extensions DenyList” – deny uploading files with blacklisted extensions.

File extensions AllowList” – deny uploading files whose extensions are not in the whitelist.

5.Click [Save].

Set up the file type list

1.Click btn_system_designer00001.png to open the System Designer.

2.Open the [System settings] section.

3.Open one of the following system settings:

a.[File extensions AllowList] (FileExtensionsAllowList) – to set up a list of allowed file extensions. By default, this setting contains the most frequently used file extensions.

b.[File extensions DenyList] (FileExtensionsDenyList) – to set up a list of restricted file extensions. By default, this setting contains extensions usually associated with potentially malicious file types.

4.Enter file extensions as a comma-separated list without whitespace characters in the [Default value] field (Fig. 1) and verify the entered data.

Fig. 1 Setting up the [File extensions AllowList]

scr_chapter_security_list_of_allowed.png 

5.Click [Save].

Set up restrictions for files of unknown types

Creatio determines the type of a file by its extension. If the file extension is not available, Creatio analyzes the file content to determine the file type. By default, uploading files of unknown types is allowed. You can restrict the processing of unknown file types to increase security. This mode requires setting up a whitelist or blacklist of file extensions.

To deny uploading files of unknown types to Creatio:

1.Click btn_system_designer00002.png to open the System Designer.

2.Open the [System settings] section.

3.Open the [Allow processing files of unknown type] (AllowFilesWithUnknownType) system setting.

4.Clear the [Default value] checkbox.

5.Click [Save].

Set up web services excluded from file security

File security restrictions apply to all Creatio web services, including services added during customization, in project solutions, and Marketplace applications. Add web services to the list of file security exceptions to allow them to upload files of the restricted file types. To do this:

1.Click btn_system_designer00003.png to open the System Designer.

2.Open the [Lookups] section.

3.Open the [List of file security excluded Uris] lookup.

4.Click [New].

5.In the [Name] field, specify the URI of the web service to exclude from restrictions. The record will be saved automatically.

a.A .NET Framework example: /0/rest/[Custom service name]/[Custom service endpoint], without specifying the application domain.

b.A .NET CORE example: /rest/[Custom service name]/[Custom service endpoint], without specifying the application domain.

6.Repeat for other web services to enable them to upload files to the application without restrictions.

See also

The [System settings] section

The [Lookups] section

 

Did you find this information useful?

How can we improve it?