How to restrict specific file names in attachment variable?

Go to solution
symonflores_23
Tera Guru

‎02-09-2025 11:24 PM

 

I want to block or restrict the attachment of files with ".exe" in the filename. I have already filtered the file type to allow only PDFs, but we still want to add a filename restriction as a secondary security measure, as we are passing this file attachment to other integrations.

 

How can I implement this using a Catalog Client Script since I only plan to apply the restriction to a single catalog item?

Labels:
0 Helpfuls
  • 955 Views
1 ACCEPTED SOLUTION

Go to solution
symonflores_23
Tera Guru

‎02-11-2025 06:45 PM

 

 

Got my answer.

I created an onChange Catalog Client Script that calls a script include which then validates the filename under sys_attachment table.

 

This is the script include, and it's currently working on our end.

var filename_validation = Class.create();
filename_validation.prototype = Object.extendsObject(AbstractAjaxProcessor, {
    
    checkFile: function() {
        var createdByEmail = this.getParameter('sysparm_created_by');
        var targetTable = "ZZ_YYsc_cart_item";

        var attachmentGR = new GlideRecord('sys_attachment');
        attachmentGR.addQuery('table_name', targetTable); //All our attachment's table is in 'ZZ_YYsc_cart_item'
        attachmentGR.addQuery('sys_created_by', createdByEmail); //Query the attachment base on who added the attachment
        attachmentGR.orderByDesc('sys_created_on'); //Get the latest attachment
        attachmentGR.query();

        if (attachmentGR.next()) { 
            var fileName = attachmentGR.file_name.toLowerCase();
            if (fileName.includes('.exe')) { //Check if filename has '.exe'
                new GlideSysAttachment().deleteAttachment(attachmentGR.sys_id);
                return 'unsafe'; //Return Message to Catalog Script
            }
        }
        return 'safe';
    },
    type: 'filename_validation'
});

 

View solution in original post

0 Helpfuls
7 REPLIES 7

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron
In response to Ankur Bawiskar

‎02-10-2025 12:29 AM

@symonflores_23 

Thank you for marking my response as helpful.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

Go to solution
symonflores_23
Tera Guru

‎02-11-2025 06:45 PM

 

 

Got my answer.

I created an onChange Catalog Client Script that calls a script include which then validates the filename under sys_attachment table.

 

This is the script include, and it's currently working on our end.

var filename_validation = Class.create();
filename_validation.prototype = Object.extendsObject(AbstractAjaxProcessor, {
    
    checkFile: function() {
        var createdByEmail = this.getParameter('sysparm_created_by');
        var targetTable = "ZZ_YYsc_cart_item";

        var attachmentGR = new GlideRecord('sys_attachment');
        attachmentGR.addQuery('table_name', targetTable); //All our attachment's table is in 'ZZ_YYsc_cart_item'
        attachmentGR.addQuery('sys_created_by', createdByEmail); //Query the attachment base on who added the attachment
        attachmentGR.orderByDesc('sys_created_on'); //Get the latest attachment
        attachmentGR.query();

        if (attachmentGR.next()) { 
            var fileName = attachmentGR.file_name.toLowerCase();
            if (fileName.includes('.exe')) { //Check if filename has '.exe'
                new GlideSysAttachment().deleteAttachment(attachmentGR.sys_id);
                return 'unsafe'; //Return Message to Catalog Script
            }
        }
        return 'safe';
    },
    type: 'filename_validation'
});

 

0 Helpfuls

Go to solution
symonflores_23
Tera Guru
In response to symonflores_23

‎02-11-2025 06:52 PM

This is my catalog client script calling the script include filename_validation:

function onChange(control, oldValue, newValue, isLoading) {
    if (isLoading || newValue == '') {
        return;
    }

    var attachmentVar = 'v_attachment';

    var ga = new GlideAjax('filename_validation');
    ga.addParam('sysparm_name', 'checkFile');
	ga.addParam('sysparm_created_by', g_user.email);
    ga.getXMLAnswer(function(response) {
        if (response === 'unsafe') {
            g_form.clearValue(attachmentVar);
            g_form.showFieldMsg(attachmentVar, "File Name not accepted", "error");
        }
    });
}
0 Helpfuls