- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2025 11:24 PM
I want to block or restrict the attachment of files with ".exe" in the filename. I have already filtered the file type to allow only PDFs, but we still want to add a filename restriction as a secondary security measure, as we are passing this file attachment to other integrations.
How can I implement this using a Catalog Client Script since I only plan to apply the restriction to a single catalog item?
Solved! Go to Solution.
- Labels:
-
Service Catalog
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-11-2025 06:45 PM
Got my answer.
I created an onChange Catalog Client Script that calls a script include which then validates the filename under sys_attachment table.
This is the script include, and it's currently working on our end.
var filename_validation = Class.create();
filename_validation.prototype = Object.extendsObject(AbstractAjaxProcessor, {
checkFile: function() {
var createdByEmail = this.getParameter('sysparm_created_by');
var targetTable = "ZZ_YYsc_cart_item";
var attachmentGR = new GlideRecord('sys_attachment');
attachmentGR.addQuery('table_name', targetTable); //All our attachment's table is in 'ZZ_YYsc_cart_item'
attachmentGR.addQuery('sys_created_by', createdByEmail); //Query the attachment base on who added the attachment
attachmentGR.orderByDesc('sys_created_on'); //Get the latest attachment
attachmentGR.query();
if (attachmentGR.next()) {
var fileName = attachmentGR.file_name.toLowerCase();
if (fileName.includes('.exe')) { //Check if filename has '.exe'
new GlideSysAttachment().deleteAttachment(attachmentGR.sys_id);
return 'unsafe'; //Return Message to Catalog Script
}
}
return 'safe';
},
type: 'filename_validation'
});
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-10-2025 12:29 AM
Thank you for marking my response as helpful.
If my response helped please mark it correct and close the thread so that it benefits future readers.
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-11-2025 06:45 PM
Got my answer.
I created an onChange Catalog Client Script that calls a script include which then validates the filename under sys_attachment table.
This is the script include, and it's currently working on our end.
var filename_validation = Class.create();
filename_validation.prototype = Object.extendsObject(AbstractAjaxProcessor, {
checkFile: function() {
var createdByEmail = this.getParameter('sysparm_created_by');
var targetTable = "ZZ_YYsc_cart_item";
var attachmentGR = new GlideRecord('sys_attachment');
attachmentGR.addQuery('table_name', targetTable); //All our attachment's table is in 'ZZ_YYsc_cart_item'
attachmentGR.addQuery('sys_created_by', createdByEmail); //Query the attachment base on who added the attachment
attachmentGR.orderByDesc('sys_created_on'); //Get the latest attachment
attachmentGR.query();
if (attachmentGR.next()) {
var fileName = attachmentGR.file_name.toLowerCase();
if (fileName.includes('.exe')) { //Check if filename has '.exe'
new GlideSysAttachment().deleteAttachment(attachmentGR.sys_id);
return 'unsafe'; //Return Message to Catalog Script
}
}
return 'safe';
},
type: 'filename_validation'
});
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-11-2025 06:52 PM
This is my catalog client script calling the script include filename_validation:
function onChange(control, oldValue, newValue, isLoading) {
if (isLoading || newValue == '') {
return;
}
var attachmentVar = 'v_attachment';
var ga = new GlideAjax('filename_validation');
ga.addParam('sysparm_name', 'checkFile');
ga.addParam('sysparm_created_by', g_user.email);
ga.getXMLAnswer(function(response) {
if (response === 'unsafe') {
g_form.clearValue(attachmentVar);
g_form.showFieldMsg(attachmentVar, "File Name not accepted", "error");
}
});
}