Forum Discussion

Dev_56330's avatar
Dev_56330
Icon for Cirrus rankCirrus
Jan 26, 2017
Solved

Using ASM to Restrict File Uploads to PDF Only

I would like to restrict file uploads to only PDF's for a single upload url using ASM on v12.1. I see there have been several discussions around this but I still have been unable to get this to work.

 

 

  • I have created a security policy in ASM.
  • I have created an allowed URL .
  • I have created an allowed file type of PDF.
  • I have created a parameter at the URL level for .

Though at this point I am unsure of what my next step should be to restrict the upload to only PDF's. Any help is appreciated.

 

  • Answer provided by F5 Employee.

     

    1. Detecting file upload
    2. Validating the file type to be uploaded using ASM: a.Identify the parameter name i.Parse the HTTP request using an inspection tool (e.g. HTTPWatch) ii.Search the ASM logs iii.Ask the Dev team b.Add the parameter to the configuration by: i.Manually configuring it in the Parameters section ii.Searching the Policy Building  Manual  Entity learning section c.Create the parameter i.Parameter Level: Global (though you can be specific and associate to a web object) ii.Parameter Value Type: User-Input iii.Data Type  Check Max Length: Give a number (e.g. 100) iv.Data Type  Regular expression: (?i).(gif|jpeg|jpg|bmp) v.(?i) – ignore case sensitivity
    3. Add additional file types inside parenthesis and separate by | i.Click on Create ii.Apply the policy iii.Validate the enforcement iv.Upload a different file extension v.Reporting  Requests: verify that the following violation was detected: vi.Parameter value does not comply with regular expression

2 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    Dev, i don't believe ASM explicitly does this, although i haven't got v12.1 in a lab to check if that's a new feature. you can protect yourself by ensuring the parameter is of type "file upload" and check the box to not allow executables.

     

    I did come across this post on DC which may help though - although i can't vouch for it as never tried it.

     

    file-upload-restriction-on-asm

     

    Hope this helps,

     

    N

     

  • Answer provided by F5 Employee.

     

    1. Detecting file upload
    2. Validating the file type to be uploaded using ASM: a.Identify the parameter name i.Parse the HTTP request using an inspection tool (e.g. HTTPWatch) ii.Search the ASM logs iii.Ask the Dev team b.Add the parameter to the configuration by: i.Manually configuring it in the Parameters section ii.Searching the Policy Building  Manual  Entity learning section c.Create the parameter i.Parameter Level: Global (though you can be specific and associate to a web object) ii.Parameter Value Type: User-Input iii.Data Type  Check Max Length: Give a number (e.g. 100) iv.Data Type  Regular expression: (?i).(gif|jpeg|jpg|bmp) v.(?i) – ignore case sensitivity
    3. Add additional file types inside parenthesis and separate by | i.Click on Create ii.Apply the policy iii.Validate the enforcement iv.Upload a different file extension v.Reporting  Requests: verify that the following violation was detected: vi.Parameter value does not comply with regular expression