File upload Restriction on ASM

Question

Hello All,&nbsp;
Is there any way to restrict file types to be uploaded tied to specific parameter ? So our website is having a Resume upload field, so I want to know if I can limit the files types restriction to Resume upload field on the website ?&nbsp;
I restricted the file types (*.doc &amp; *.pdf) using below option but our website page (URL had .aspx) stopped working, since I am not allowing .aspx in this, but If I allow .aspx extension the webpage starts working.&nbsp;
Application Security----&gt;File Types----&gt;Allowed file types&nbsp;
Regards,&nbsp;
Akhtar&nbsp;

mike__maher_108 · Answer

So yes you can do this, but not in the area that you have mentioned.  Allowed File types is checking the file extension on the URL, not a parameter or its value.  So based upon what you are saying, in Allowed File Types you need to allow for aspx, then I am assuming that the file name is a value of a parameter being passed.  So what you want to do is go define that parameter set it up as a Parameter Value Type of User Input with a Data Type of Alpha-Numeric parameter, and then use a Reg Ex to control the file type.  Here is what I am using, not sure if that is the best way but I am not a Reg Ex wizard by any means :)&nbsp;
(?i).(txt|pdf|doc|docx|csv|xls|xlsx|jpg|png|gif|jpeg|tiff|tif|ppt|pptx)$  &nbsp;
I also assume there is another parameter that contains the actual file upload itself.  You want to create that Parameter, and set it up as a Parameter Value Type of User Input with a Data Type of File Upload, you can also disallow .exe files from here.  Then if you have an AV scan Engine server, I would also recommend using the AV protection integration to offload that file as it passes through the ASM to be AV scanned.  Check the configuration guide for steps on how to set it up (link below).&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-4-0/asm_sys_mgmt.html?sr=370424701037564&nbsp;
Hope that covers your question.&nbsp;

mike_maher · Answer

So yes you can do this, but not in the area that you have mentioned.  Allowed File types is checking the file extension on the URL, not a parameter or its value.  So based upon what you are saying, in Allowed File Types you need to allow for aspx, then I am assuming that the file name is a value of a parameter being passed.  So what you want to do is go define that parameter set it up as a Parameter Value Type of User Input with a Data Type of Alpha-Numeric parameter, and then use a Reg Ex to control the file type.  Here is what I am using, not sure if that is the best way but I am not a Reg Ex wizard by any means :)&nbsp;
(?i).(txt|pdf|doc|docx|csv|xls|xlsx|jpg|png|gif|jpeg|tiff|tif|ppt|pptx)$  &nbsp;
I also assume there is another parameter that contains the actual file upload itself.  You want to create that Parameter, and set it up as a Parameter Value Type of User Input with a Data Type of File Upload, you can also disallow .exe files from here.  Then if you have an AV scan Engine server, I would also recommend using the AV protection integration to offload that file as it passes through the ASM to be AV scanned.  Check the configuration guide for steps on how to set it up (link below).&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-4-0/asm_sys_mgmt.html?sr=370424701037564&nbsp;
Hope that covers your question.&nbsp;

xunil321_122934 · Answer

Sorry for my ignorance!
Does this also mean that only files with the extensions mentioned above could be
DOWNLOADED? 
If yes is there any way by the ASM to allow downloading ALL types of files and to deny uploading ANY file?

xunil321_122934 · Answer

Sorry for my ignorance!
Does this also mean that only files with the extensions mentioned above could be
DOWNLOADED? 
If yes is there any way by the ASM to allow downloading ALL types of files and to deny uploading ANY file?

fweiss_174951 · Answer

You could disallow the method "Post" and "Put". You could downsize long_request_buffer_size and work with "Request length exceeds defined buffer size" . You could disallow URLs and Upload-Parameters. As shown above you could  use regex to specify which filename/extension is allowed to be uploaded (filename in parameter value). 
You could write a signature triggering on any part of a request, e.g. the filename part. 
Content-Disposition: form-data; name="uploadedfile"; filename="hello.o"

Choose your flavor.

Forum Discussion

File upload Restriction on ASM

6 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

File upload and ASM

File Uploads and ASM

Handle False Positive for files upload

WAF - Allow uploads of only files with certain extensions and block all other file uploads

File Upload via iControl REST