Skip to main content

Secure File Uploads

This section focuses on the principles and best practices for secure file uploads to protect the platform and its users from threats like malware and unauthorized access. You can mitigate risks by implementing validation, sanitization, and access control measures while maintaining critical functionality. Whether you’re managing images, documents, or various file types, these strategies help optimize usability without compromising security.

What is it?

File uploads are essential to many digital processes, from sharing documents to submitting forms. However, they pose significant security risks when improperly managed. Threat actors often exploit vulnerabilities in file uploads to inject malicious content, gain unauthorized access, or disrupt systems. Ensuring secure file uploads is critical to maintaining system integrity, protecting sensitive data, and fostering trust.

What Can Go Wrong?

File upload vulnerabilities can be a severe security risk if not properly managed. Attackers often target file upload functionalities to exploit weaknesses and introduce malicious files into an application. These files, once uploaded, can pose various risks depending on how the system handles them.

Some of the most common issues that can arise from insecure file uploads include:

NameDiscriptionExample
Malicious File ExecutionIf file uploads are not validated, attackers can upload malicious files such as scripts, executable code, or malware disguised as harmless file types. Once uploaded, these files have the potential to be executed by the application or its environment, allowing attackers to gain unauthorized access to the system or inject malicious payloads.A web server might inadvertently execute a PHP script disguised as an image file (e.g., malicious.jpg.php), allowing the attacker to run arbitrary code on the server.
File Inclusion AttacksA common vulnerability arises when uploaded files are included or executed within the system. Attackers can exploit this by uploading files containing code that the server can include and execute, leading to remote code execution.If an application uses an uploaded file as part of a dynamic process (e.g., including a file path from the upload as part of a URL or API call), the attacker could upload a malicious file that is then processed by the system, triggering unintended actions.
Remote Code Execution (RCE)Remote Code Execution is one of the most severe threats in file upload vulnerabilities. If an attacker can upload executable code (such as a shell script) and the server allows it to be executed, the attacker can run commands remotely on the system.An attacker could upload a web shell (a script that acts as a backdoor), providing them full control over the server. This could lead to data theft, server manipulation, or the use of the server for further attacks.
Privilege EscalationWhen a system allows uploaded files to be processed with insufficient permission checks, attackers may be able to escalate their privileges. This means they can gain higher access or control levels, bypassing standard security measures that limit user actions.If an attacker uploads a file that contains code designed to exploit weaknesses in the system, they might be able to elevate their privileges from a regular user to an administrator, gaining access to sensitive information or system settings.
Exfiltration of Sensitive DataSuppose an attacker successfully uploads a malicious file and gains control over the server or application. In that case, they may be able to extract sensitive data, such as user credentials, personal information, or financial records.After exploiting a file upload vulnerability, an attacker might retrieve files from a database or download sensitive customer data, leading to a significant data compromise.
Denial of Service (DoS) AttacksFile uploads can also be used as vectors for Denial of Service attacks, especially if large or malformed files are uploaded, consuming excessive resources or causing the system to crash. Attackers can exploit this by sending files that overwhelm the server’s processing capabilities.An attacker could upload huge files or files that require extensive server processing, causing resource exhaustion and making the system unresponsive or unavailable to legitimate users.

Uploading files can introduce significant vulnerabilities to an application without proper validation and security measures. Secure file handling is critical to protecting against attacks compromising your system's integrity, confidentiality, and availability. |

What Are The Impacts?

Insecure file uploads can add risk to implementations and impact operational reliability.

The following are risks that could be introduced:

  1. Data Loss: Unauthorized access to sensitive data can lead to financial loss, reputational damage, and regulatory penalties.
  2. System Compromise: Executed malicious files may enable attackers to take control of servers or infrastructure.
  3. Service Disruption: Attacks exploiting file uploads can result in downtime or degraded system performance.
  4. Spread of Malware: Uploaded malware can infect users or connected systems, propagating further attacks.
  5. Erosion of Trust: Users and stakeholders may need more confidence in an organization's security practices.

What Are The Defense Strategies?

On the Guidewire Cloud Platform, file uploads are integral for many business functions, making it crucial to manage misuse that can be initiated through file upload vulnerabilities. Vulnerabilities arise when uploaded files are not sufficiently validated, such as improper checks on file extensions, sizes, and content, which allows malicious code to be injected into the ecosystem.

Protecting against this type of exploit can be mitigated using the following steps:

  1. Stop the upload from occurring if the content or source of the file is unknown or untrusted.
  2. Validate that the content received is the content you were expecting.
  3. Ensure that the received file does not contain hidden malicious exploits.
  4. Don’t execute file content or include it in a page that is being rendered in a browser.

Guidewire Features Contribute To Securing File Uploads?

The Guidewire platform includes features to help with file upload vulnerabilities.

Out-of-the-Box File Upload Mechanisms

Leverage InsuranceSuite's built-in file upload functionality instead of building one from scratch. This feature seamlessly integrates with your Document Management System (DMS), ensuring efficient and secure file handling.

File Size Limits

Uploaded file size limits are enforced unless explicitly overridden in the config.xml file. This file includes the parameter MaximumFileUploadSize, which sets the maximum allowable size for document uploads to the server, measured in megabytes. If you attempt to upload a file that exceeds this limit, the upload will fail. This parameter protects the server from potential memory consumption issues caused by large files.

<!-- from config.xml -->
...
<param name="MaximumFileUploadSize" value="25"/>
...

The default file size limit is 25 MB.

File Extension Restrictions

Uploaded file extensions are restricted to a small set of types with no possible executables, excluding even PDFs, unless permitted explicitly by the customer.

Each MIME type defined in the mimetypemapping table may have an optional restrictUploads boolean attribute. If this attribute is set to true, the MIME type will be rejected for upload in contexts where it is not explicitly allowed.

<!-- from config.xml -->
...
<mimetypemapping>
  ...
  <mimetype name="text/richtext" extensions=".rtx" icon="text_mime"/>
  <mimetype name="text/xml" extensions=".xml" icon="html_mime" restrictUploads="true"/>
  ...
</mimetypemapping>
...


MIME Type Consistency

File MIME types must align with their extensions to ensure accurate identification and prevent potential security vulnerabilities caused by mismatches. This validation ensures that files are processed and handled appropriately based on their true content type, reducing the risk of malicious files being disguised with misleading extensions.

<!-- from config.xml -->
...
<mimetypemapping>
  ...
  <mimetype name="text/richtext" extensions=".rtx" icon="text_mime"/>
  <mimetype name="text/xml" extensions=".xml" icon="html_mime" restrictUploads="true"/>
  ...
</mimetypemapping>
...


Safe Download Practices

Files are not downloaded "inline" by default unless the customer explicitly configures dangerous inline file downloads.

Modifications to the IDocumentContentSource plugin for Document Management System (DMS) integrations can adjust the ContentDispositionType to INLINE to enable inline downloads. This instructs the client browser to load and render the document directly.

By making this modification, you open up an opportunity for an XSS attack.

Additional Strategies

Consider these additional defences in addition to the built-in features to enhance your file upload processes and reduce risks.

Leverage Secure Storage

Ensure uploaded files are stored securely in a Document Management System (DMS) to minimize the impact of any potentially insecure files.

Integrate Malicious Content Scanning Solutions in your DMS

Files on the Guidewire cloud are not automatically scanned, so consider integrating with an external document management system that provides malware scanning.

Endpoint Security

Customers are responsible for ensuring endpoint security with up-to-date antivirus software.

Additional Resources

To further strengthen your understanding and implementation, these resources provide additional guidance on secure coding practices.

These resources provide detailed guidance on secure coding practices specific to Guidewire environments.

By incorporating these tailored strategies and examples, you'll enhance the security of file uploads within Guidewire applications.

Legal and Support Information
Copyright © 2001-2025 Guidewire Software, Inc.