This document describes version 6 of Unblu. If you’re using the latest major version of Unblu, go to the documentation of the latest version. The support period for version 6 ended on 29 August 2023. We no longer provide support or updates for this version. You should upgrade to the latest version of Unblu. |
Configuring file uploads
Agents and visitors can upload files to conversations. However, you may want to restrict the types of file that they can upload. This article describes how to do so.
Introduction
Being able to exchange files in a chat conversation is a highly useful feature that most people take for granted. However, it can pose a security risk:
-
Participants from outside your network might try to send malicious content to your agents and getting them to inadvertently compromise your network’s security.
-
Agents may inadvertently upload the wrong file to a conversation and thus share confidential information with unauthorized parties.
File upload checks
Unblu provides a number of configuration properties to mitigate the risks outlined above.
You can define lists of file types that users may and may not upload with com.unblu.filemanager.fileTypeBlacklist and com.unblu.filemanager.fileTypeWhitelist, respectively.
The configuration reference lists the possible values for both properties.
To make configuration easier, you can use groups of values for related file types:
-
GROUP_ANY
is a pseudo-group that matches any file type. If your blacklist or whitelist is empty, it will be treated as if its value wereGROUP_ANY
. -
GROUP_EXEC
contains file types for executable files such as.exe
,.bin
or.app
. -
GROUP_IMAGE
includes file types for common image file formats such as.png
or.jpg
. -
GROUP_OFFICE
contains types for files created by a variety of office software suites, for example.docx
,.xlsx
or.odt
. -
GROUP_PDF
is used for PDF files.
Files uploaded to Unblu are checked against the file types in the blacklist and whitelist you specify. (File types are a combination of a file’s signature and their extensions, that is, the part of the file name after the final period.) If Unblu finds a match for the uploaded file in the blacklist, it won’t allow the user to upload the file. If it finds a match in the whitelist, the user will be allowed to upload the file.
Unblu always checks both the blacklist and the whitelist for matches. |
What happens if Unblu finds a match in both the blacklist and whitelist? That depends on the configuration property com.unblu.filemanager.fileTypeBlackWhiteOrder:
-
If the configuration property has the value
BLACK_WHITE
, the file is checked against the blacklist first, then against the whitelist. If Unblu finds a match in both the blacklist and the whitelist, the match in the whitelist wins. -
If the configuration property has the value
WHITE_BLACK
, the file is checked against the whitelist first, then against the blacklist. If Unblu finds a match in both the blacklist and the whitelist, the match in the blacklist wins.
You can use this behavior to your advantage, as you will see in the examples below.
Finally, you can encourage users only to upload files of certain types using the configuration property com.unblu.filemanager.fileTypeInputTagHint. Depending on the system the user is, this will restrict the kind of file they can choose to upload. In the visitor UI, for example, it adds an accept
attribute to the send file icon . Often, however, users can work around this limitation with little effort; it adds convenience rather than security.
Examples
Suppose you only want to allow users to upload PDF files and images in the PNG format. You also want to make it harder for them to choose other kinds of file to upload. You could use the following configuration:
com.unblu.filemanager.fileTypeBlacklist=ANY
com.unblu.filemanager.fileTypeWhitelist=GROUP_PDF,IMAGE_PNG
com.unblu.filemanager.fileTypeBlackWhiteOrder=BLACK_WHITE
com.unblu.filemanager.fileTypeInputTagHint=.pdf,.png
In this configuration, the blacklist is evaluated first, then the whitelist. The blacklist blocks all file uploads. Then the whitelist allows users to upload the file types we want. Finally, the hint sets the accept
attribute to discourage users from uploading files of any other type.
Now suppose you only want to block uploads of executable files. The following setup would achieve this:
com.unblu.filemanager.fileTypeBlacklist=GROUP_EXEC
com.unblu.filemanager.fileTypeWhitelist=ANY
com.unblu.filemanager.fileTypeBlackWhiteOrder=WHITE_BLACK
Here, the whitelist is evaluated first and allows the upload of all file types. However, when the blacklist is evaluated, it blocks all the file types in GROUP_EXEC
. A hint regarding the file types users may upload makes less sense in this case, so we can leave the configuration property for it blank.
See also
-
Information on executable file extensions and file signatures is widely available online.
-
The configuration properties discussed here also affect the Unblu Android and iOS mobile SDKs.
-
If you use the concierge, you can disable file uploads during the onboarding and offboarding process.
-
If you enabled file uploads to use them in document co-browsing sessions, you should read the articles on configuring the rendering service and the document co-browsing collaboration layer.