- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2025 11:24 PM
I want to block or restrict the attachment of files with ".exe" in the filename. I have already filtered the file type to allow only PDFs, but we still want to add a filename restriction as a secondary security measure, as we are passing this file attachment to other integrations.
How can I implement this using a Catalog Client Script since I only plan to apply the restriction to a single catalog item?
Solved! Go to Solution.
- Labels:
-
Service Catalog
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-11-2025 06:45 PM
Got my answer.
I created an onChange Catalog Client Script that calls a script include which then validates the filename under sys_attachment table.
This is the script include, and it's currently working on our end.
var filename_validation = Class.create();
filename_validation.prototype = Object.extendsObject(AbstractAjaxProcessor, {
checkFile: function() {
var createdByEmail = this.getParameter('sysparm_created_by');
var targetTable = "ZZ_YYsc_cart_item";
var attachmentGR = new GlideRecord('sys_attachment');
attachmentGR.addQuery('table_name', targetTable); //All our attachment's table is in 'ZZ_YYsc_cart_item'
attachmentGR.addQuery('sys_created_by', createdByEmail); //Query the attachment base on who added the attachment
attachmentGR.orderByDesc('sys_created_on'); //Get the latest attachment
attachmentGR.query();
if (attachmentGR.next()) {
var fileName = attachmentGR.file_name.toLowerCase();
if (fileName.includes('.exe')) { //Check if filename has '.exe'
new GlideSysAttachment().deleteAttachment(attachmentGR.sys_id);
return 'unsafe'; //Return Message to Catalog Script
}
}
return 'safe';
},
type: 'filename_validation'
});
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2025 11:29 PM - edited 02-09-2025 11:30 PM
you can add which extensions are allowed in variable attributes of that attachment variable
allowed_extensions=pdf;doc
Why to have secondary measure?
If my response helped please mark it correct and close the thread so that it benefits future readers.
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2025 11:43 PM
Hi Ankur,
PDF is already restricted as the only allowed file type for attachments in this catalog item alone. However, we have also been tasked with restricting the filename for additional security, as we are sending this file to our other integrations.
For example: "Filename.exe.pdf".
How can I do this in catalog client script?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2025 11:56 PM
I don't think it's a good practice to have secondary check because what if user tomorrow gives some other file which is an actual pdf but has .exe in it's name?
check this script on how to get file name in portal, you will have to tweak it to handle for the attachment variable. the solution I shared was to get file names from the paper-clip icon
function onSubmit() {
//Type appropriate comment here, and begin script below
var arr = [];
if(window == null){
// portal
var z = this.document.getElementsByClassName("get-attachment ng-binding ng-scope");
var k;
for (k = 0; k < z.length; k++) {
var value = z[k].innerHTML;
value = value.substring(0, value.indexOf('('));
arr.push(value.trim());
}
// now check if the allowed file name is present in the array or not
}
else{
// native get all the file names
$j("a.content_editable").each(function( index ) {
var val = $j(this).text();
arr.push(val);
});
// now check if the allowed file name is present in the array or not
}
}
If my response helped please mark it correct and close the thread so that it benefits future readers.
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2025 11:58 PM
Thank you Ankur.