Forum Discussion
Dev_56330
Cirrus
CirrusUsing ASM to Restrict File Uploads to PDF Only
I would like to restrict file uploads to only PDF's for a single upload url using ASM on v12.1. I see there have been several discussions around this but I still have been unable to get this to work.
- I have created a security policy in ASM.
- I have created an allowed URL .
- I have created an allowed file type of PDF.
- I have created a parameter at the URL level for .
Though at this point I am unsure of what my next step should be to restrict the upload to only PDF's. Any help is appreciated.
Answer provided by F5 Employee.
- Detecting file upload
- Validating the file type to be uploaded using ASM: a.Identify the parameter name i.Parse the HTTP request using an inspection tool (e.g. HTTPWatch) ii.Search the ASM logs iii.Ask the Dev team b.Add the parameter to the configuration by: i.Manually configuring it in the Parameters section ii.Searching the Policy Building Manual Entity learning section c.Create the parameter i.Parameter Level: Global (though you can be specific and associate to a web object) ii.Parameter Value Type: User-Input iii.Data Type Check Max Length: Give a number (e.g. 100) iv.Data Type Regular expression: (?i).(gif|jpeg|jpg|bmp) v.(?i) – ignore case sensitivity
- Add additional file types inside parenthesis and separate by | i.Click on Create ii.Apply the policy iii.Validate the enforcement iv.Upload a different file extension v.Reporting Requests: verify that the following violation was detected: vi.Parameter value does not comply with regular expression
natheCirrocumulus
Dev, i don't believe ASM explicitly does this, although i haven't got v12.1 in a lab to check if that's a new feature. you can protect yourself by ensuring the parameter is of type "file upload" and check the box to not allow executables.
I did come across this post on DC which may help though - although i can't vouch for it as never tried it.
file-upload-restriction-on-asm
Hope this helps,
N
Dev_56330Answer provided by F5 Employee.
- Detecting file upload
- Validating the file type to be uploaded using ASM: a.Identify the parameter name i.Parse the HTTP request using an inspection tool (e.g. HTTPWatch) ii.Search the ASM logs iii.Ask the Dev team b.Add the parameter to the configuration by: i.Manually configuring it in the Parameters section ii.Searching the Policy Building Manual Entity learning section c.Create the parameter i.Parameter Level: Global (though you can be specific and associate to a web object) ii.Parameter Value Type: User-Input iii.Data Type Check Max Length: Give a number (e.g. 100) iv.Data Type Regular expression: (?i).(gif|jpeg|jpg|bmp) v.(?i) – ignore case sensitivity
- Add additional file types inside parenthesis and separate by | i.Click on Create ii.Apply the policy iii.Validate the enforcement iv.Upload a different file extension v.Reporting Requests: verify that the following violation was detected: vi.Parameter value does not comply with regular expression