How to restrict specific file names in attachment variable?

symonflores_23 · ‎02-09-2025

I want to block or restrict the attachment of files with ".exe" in the filename. I have already filtered the file type to allow only PDFs, but we still want to add a filename restriction as a secondary security measure, as we are passing this file attachment to other integrations.

How can I implement this using a Catalog Client Script since I only plan to apply the restriction to a single catalog item?

symonflores_23 · ‎02-11-2025

Got my answer.

I created an onChange Catalog Client Script that calls a script include which then validates the filename under sys_attachment table.

This is the script include, and it's currently working on our end.

var filename_validation = Class.create();
filename_validation.prototype = Object.extendsObject(AbstractAjaxProcessor, {
    
    checkFile: function() {
        var createdByEmail = this.getParameter('sysparm_created_by');
        var targetTable = "ZZ_YYsc_cart_item";

        var attachmentGR = new GlideRecord('sys_attachment');
        attachmentGR.addQuery('table_name', targetTable); //All our attachment's table is in 'ZZ_YYsc_cart_item'
        attachmentGR.addQuery('sys_created_by', createdByEmail); //Query the attachment base on who added the attachment
        attachmentGR.orderByDesc('sys_created_on'); //Get the latest attachment
        attachmentGR.query();

        if (attachmentGR.next()) { 
            var fileName = attachmentGR.file_name.toLowerCase();
            if (fileName.includes('.exe')) { //Check if filename has '.exe'
                new GlideSysAttachment().deleteAttachment(attachmentGR.sys_id);
                return 'unsafe'; //Return Message to Catalog Script
            }
        }
        return 'safe';
    },
    type: 'filename_validation'
});

View solution in original post

Ankur Bawiskar · ‎02-09-2025

@symonflores_23

you can add which extensions are allowed in variable attributes of that attachment variable

allowed_extensions=pdf;doc

Why to have secondary measure?

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

symonflores_23 · ‎02-09-2025

Hi Ankur,

PDF is already restricted as the only allowed file type for attachments in this catalog item alone. However, we have also been tasked with restricting the filename for additional security, as we are sending this file to our other integrations.

For example: "Filename.exe.pdf".

How can I do this in catalog client script?

Ankur Bawiskar · ‎02-09-2025

@symonflores_23

I don't think it's a good practice to have secondary check because what if user tomorrow gives some other file which is an actual pdf but has .exe in it's name?

check this script on how to get file name in portal, you will have to tweak it to handle for the attachment variable. the solution I shared was to get file names from the paper-clip icon

function onSubmit() {
	//Type appropriate comment here, and begin script below
	var arr = [];
	
	if(window == null){
		// portal
		var z = this.document.getElementsByClassName("get-attachment ng-binding ng-scope");
		var k;
		for (k = 0; k < z.length; k++) {
			var value = z[k].innerHTML;
			value = value.substring(0, value.indexOf('('));
			arr.push(value.trim());
		} 
		// now check if the allowed file name is present in the array or not
	}
	else{
		// native get all the file names
		$j("a.content_editable").each(function( index ) {
			var val = $j(this).text();
			arr.push(val);
		});
		// now check if the allowed file name is present in the array or not
	}
}

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

symonflores_23 · ‎02-09-2025

Thank you Ankur.