How to restrict specific file names in attachment variable?

symonflores_23
Tera Guru

 

I want to block or restrict the attachment of files with ".exe" in the filename. I have already filtered the file type to allow only PDFs, but we still want to add a filename restriction as a secondary security measure, as we are passing this file attachment to other integrations.

 

How can I implement this using a Catalog Client Script since I only plan to apply the restriction to a single catalog item?

1 ACCEPTED SOLUTION

symonflores_23
Tera Guru

 

 

Got my answer.

I created an onChange Catalog Client Script that calls a script include which then validates the filename under sys_attachment table.

 

This is the script include, and it's currently working on our end.

var filename_validation = Class.create();
filename_validation.prototype = Object.extendsObject(AbstractAjaxProcessor, {
    
    checkFile: function() {
        var createdByEmail = this.getParameter('sysparm_created_by');
        var targetTable = "ZZ_YYsc_cart_item";

        var attachmentGR = new GlideRecord('sys_attachment');
        attachmentGR.addQuery('table_name', targetTable); //All our attachment's table is in 'ZZ_YYsc_cart_item'
        attachmentGR.addQuery('sys_created_by', createdByEmail); //Query the attachment base on who added the attachment
        attachmentGR.orderByDesc('sys_created_on'); //Get the latest attachment
        attachmentGR.query();

        if (attachmentGR.next()) { 
            var fileName = attachmentGR.file_name.toLowerCase();
            if (fileName.includes('.exe')) { //Check if filename has '.exe'
                new GlideSysAttachment().deleteAttachment(attachmentGR.sys_id);
                return 'unsafe'; //Return Message to Catalog Script
            }
        }
        return 'safe';
    },
    type: 'filename_validation'
});

 

View solution in original post

7 REPLIES 7

@symonflores_23 

Thank you for marking my response as helpful.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader

symonflores_23
Tera Guru

 

 

Got my answer.

I created an onChange Catalog Client Script that calls a script include which then validates the filename under sys_attachment table.

 

This is the script include, and it's currently working on our end.

var filename_validation = Class.create();
filename_validation.prototype = Object.extendsObject(AbstractAjaxProcessor, {
    
    checkFile: function() {
        var createdByEmail = this.getParameter('sysparm_created_by');
        var targetTable = "ZZ_YYsc_cart_item";

        var attachmentGR = new GlideRecord('sys_attachment');
        attachmentGR.addQuery('table_name', targetTable); //All our attachment's table is in 'ZZ_YYsc_cart_item'
        attachmentGR.addQuery('sys_created_by', createdByEmail); //Query the attachment base on who added the attachment
        attachmentGR.orderByDesc('sys_created_on'); //Get the latest attachment
        attachmentGR.query();

        if (attachmentGR.next()) { 
            var fileName = attachmentGR.file_name.toLowerCase();
            if (fileName.includes('.exe')) { //Check if filename has '.exe'
                new GlideSysAttachment().deleteAttachment(attachmentGR.sys_id);
                return 'unsafe'; //Return Message to Catalog Script
            }
        }
        return 'safe';
    },
    type: 'filename_validation'
});

 

This is my catalog client script calling the script include filename_validation:

function onChange(control, oldValue, newValue, isLoading) {
    if (isLoading || newValue == '') {
        return;
    }

    var attachmentVar = 'v_attachment';

    var ga = new GlideAjax('filename_validation');
    ga.addParam('sysparm_name', 'checkFile');
	ga.addParam('sysparm_created_by', g_user.email);
    ga.getXMLAnswer(function(response) {
        if (response === 'unsafe') {
            g_form.clearValue(attachmentVar);
            g_form.showFieldMsg(attachmentVar, "File Name not accepted", "error");
        }
    });
}