The ServiceNow platform allows a System Administrator on the system to configure the specific attachment types that can be uploaded to a record on the instance.
The default setting for a new, out-of-box ServiceNow instance is to contain no such restrictions and thus allow users of the instance to upload any type of attachments to a record. However, to help ensure that invalid file types or files that might contain malware are not easily attached to records on the system, a System Administrator can restrict the file types that are allowed as attachments to records on the instance.
This article will describe the method to configure the instance to allow restrictions on file types to be configured and applied on a ServiceNow instance. Similarly, a similar procedure can be performed to adjust the list of allowed file type extensions.
To begin, the System Administrator should determine the specific file types that should or should not be allowed for upload to records on the system. This decision should be made in conjunction with the developers and users of the system to ensure that valid and necessary file extensions are not prohibited from being added to a record.
Once it is determined the specific list of file extensions that should be disallowed from inclusion as an attachment, the following procedures should be followed:
Login to the ServiceNow instance with an account having admin rights to the instance.
Once logged onto the instance, using the Menu Navigator, browse to the following location: System Properties -> Security.
The Security System Properties page will appear for the instance. Locate the property which has the heading "List of file extensions (comma-separated) that can be attached to documents via the attachment dialog. Extensions should not include the dot (.) e.g. xls,xlsx,doc,docx. Leave blank to allow all extensions." The text field below this heading will then contain any file type restrictions.
As indicated above, by default, an out-of-box instance will be configured to not specify any file extension restrictions. This will be reflected in this property being blank (having no text).
However, if some file restrictions have already been specified, this field may already contain one or more values. Any values included in the list indicate that a file with this extension is permissible to be added as an attachment to a record.
Thus, this list should be composed of a comma delineated list (without spaces) of file extensions that should be allowed on the instance (i.e. zip,doc,docx,xls,xlsx,png,jpg,jpeg,bmp,xml,txt,rtf). Ensure to also include any file extension types for images that may need to be attached to Incidents, Knowledge Articles and other records in the system. If this field is cleared out (set to blank), no restrictions on file extensions will be enforced on the instance. The dot operator should not be included, as doing so will cause the system to incorrectly read the extension with the results not being as expected.
One the list has been updated as needed, click one of the Save buttons on the Security Properties page. This button should appear at the top and the bottom of the page.
After making this change, if a user attempts to upload an attachment with an extension that is not found on the list, the following error message will appear and the attachment will not be added.
Important Note: Limiting the extension type in no way checks the actual file type, it simply restricts or allows a file attachment based on the file name extension. However, the system also has the capability to perform validation that the MIME type of a file is synchronized to the file extension and can block an attachment being added to the document in cases in which the registered MIME type of the file is not contiguous with the file extension.
This setting is also found on the Security Properties Page on the instance. It can be found on that same page under the description heading "This property must be set to activate MIME type checking for uploads (All version Eureka and up). Enables (true) or disables (false) mime type validation for file attachments. File extensions configured via glide.attachment.extensions will be checked for MIME type during upload."
This property can thus be adjusted from this same properties page by selecting the needed option and clicking the Save button. If the checkbox corresponding to this property is not selected (unchecked), the system will not perform any type of checking to ensure that the internal file type as represented by the attachment is synchronized with the file name extension. However, if this property is selected (checked), it will do a run-time check on the uploaded file to determine if the file's internal MIME type corresponds to a legal file extension for that file type. If not, the attachment will be disallowed, with an error message similar to the following appearing:
Thus, this behavior can be modified based on the setting of this specific property. Note that if this property is set, but no specific file extension types are specified in the list of allowable file extensions, this property will be ignored.
Note also that these settings are actually controlled by System Properties. Thus, these same properties could be modified by directly accessing the sys_properties record for these properties and modifying that system property record. Care must be taken when doing so, however, to ensure that the data type or other fields of the property are not changed as this could result in unexpected results. The names of the first property discussed, which controls the allowable file extensions has the Name glide.attachment.extensions. The name of the System Property which controls the condition of comparing the MIME type to the actual file extension is called glide.security.file.mime_type.validation.
The following URL on the ServiceNow Documents site briefly describes these and other specific properties that are related to attachments on the instance: