We have logged same issue earlier as well (Track Ticket #8569) as a part of security testing, at that time it was fixed on Local, Stage and Production environments, but it seems that somehow it gets open again. User should not be able to upload a non-supported extension file by any mean from application.

This is Security related issue for common control used in throughout the system.
So making as Module - Platform.

Hi Samir,

Can we schedule this along with Security fixes?

Thanks & Regards,
Satya Prakash

Affected Files:

/trunk/WORKTERRAweb/Web/Web Projects/Assets/GeneratedFiles/FileMimeType.xml
/trunk/WORKTERRAweb/Web/SharedFunctionWebTier/SharedFunctionWebTier/SharedFunctionWebTier.csproj
/trunk/WORKTERRAweb/Web/SharedFunctionWebTier/SharedFunctionWebTier/Models/Common/FileUploadModel.cs
/trunk/WORKTERRAweb/Web/SharedFunctionWebTier/SharedFunctionWebTier/CommonClasses/MimeTypeLib.cs

Hi Vijayendra Shinde,

We are verifying the fix on local environment, now executable files are not get imported as a rate file with tampered extension. But we have observed for couple of upload points if user uploads a valid extension file the failure message display- "Invalid file format or threat to system. Cannot upload file." This can be seen in below scenarios.

1] Customizer>Benefits Library>Upload EOI Form, click on "Add Form", select EOI Form and upload PDF file.
2] Customizer>Upload Images. Here upload a image with valid extension.

Above docs (pdf and png image) are getting uploaded successfully on Stage environment, hence reopening.

Hi Vijayendra Shinde,

We are in process of testing of mentioned fix on local (wt-stage) environment, we have observed below inconsistencies while testing, hence reopening the ticket.

1] When user try to upload file size greater than the mentioned limit, application is showing "Invalid file format or threat to system. Cannot upload file." instead of "File size should not be greater than XXXXX KB."

2] Upload PGP Key-> .txt file which is valid extension is not get uploaded, displaying message "Invalid file format or threat to system. Cannot upload file."

3] Manual Import/Export> "Data File Name" - Browse path should not be editable.

Hi Vijayendra Shinde,

You can reproduce #1 by uploading video file of size greater than the set limit from Customizer>Video/Brochure Library>Upload a .wmv file greater than 10240 KB. OR Upload EOI form (.pdf) of size greater than 4069 KB

Also it will be helpful if you shed some light on below finding:

4] Zip Table - MS Office excel file saved as CSV (Comma Delimited) format is not getting uploaded on local (wt-stage) env., but same file is getting uploaded successfully on Stage.

Hi Kunal,

We have resolved issue #1 reported by you.

#1. Now we will get proper message mentioned by you
#2. We never upload txt file on PGP key. Ideally, txt extension should not be their on screen. I have sent an email to Export team for removing txt extension from PGP screen.
#3. As issue #3 is specific to import, please create new JIRA ticket for the same and assign this to Import team

#4. We have resolved this issue.

Please do not compare any LB file upload with Stage file upload as, on Stage no any mime type verification was there. All files were allowed. On LB we are verifying proper mime type. No any EXE will be allowed to upload.

Thanks

We are done with the verification of fix for Benadmin module , we are checking it for all other modules as well

Rajendra Joshi Please check this for Recruit and Onboard module.

Verified on LB using company For QA LB Austin Ind and ASML temp for OnBoard and Recruit modules. Upload functionality working as expected.

Hi Vijayendra Shinde,

We have verified changes for BenAdmin, Recruit and Onboard module , the BenAdmin module checklist is attached with ticket. As per our discussion there is no need to test all the modules (Wellness and Exchange are remaining) as implementation is same across the modules.

Please note from attached checklist for BenAdmin, only scenario failing is .xls file is not getting uploaded as a rate file. We can deploy the changes to Stage environment after fixing this issue.

Cc: Rakesh Roy, Deepali Tidke

Hi Kunal,

After our discussion, we have deployed fix for xls file upload on LB. You can verify that fix on LB and approve patch for Stage.

Thanks.

Hi Vijayendra Shinde,

We have verified the fix, now user can able to upload .xls file as a rate file, with this fix we can deploy the changes to Stage environment.

Hi Vijayendra Shinde,

We are in process of testing mentioned changes on Stage environment, however we have seen that .xls file is not getting uploaded as a rate file. (Customizer>Rates>Import, upload a .xls rate file) "Invalid file format or threat to system. Cannot upload file." message is displaying. Can you please have a look. (Refer attached screenshot for more details).

Hi Kunal,

Will you please attach excel which you are trying to import?

Thanks.

Hi Vijayendra Shinde,

Test file is attached with ticket.

Hi Kunal Kedari,

I tried uploading attached file "TestRateUsedForTesting.xls" on Stage Austin for HSPL company. It uploaded successfully. Please refer attached snapshot "screenshot-1.png"

This is not an issue. Issue is not reproducible.

Hi Vijayendra Shinde,

We can deploy this change to Production.

Fix is verified on Production environment, working as expected. Closing the issue.