File Security

To protect the system from unwanted or malicious files, all uploaded files go through a series of validation and security checks. These checks ensure that only safe and compliant files are processed.

Validation Steps

Uploaded files are validated through the following steps:

1. File size check

   • Verifies that the uploaded file does not exceed the maximum allowed size
   • Prevents denial-of-service attempts caused by overly large files

2. File name length check

   • Verifies that the file name is within acceptable length limits
   • Prevents issues with excessively long file names that may cause storage or display problems

3. File extension check

   • Verifies that the file extension is included in the system's list of allowed extensions
   • Prevents execution or upload of disallowed file types

4. File content verification

   • Verifies that the internal content of the file matches the declared extension
   • Prevents files disguised with misleading extensions (e.g., a script renamed as a .jpg)
   • Requires proper configuration to function
   • Only available in cloud environments

5. Anti-malware scanning

   • Verifies that the file does not contain viruses, trojans, or other malicious payloads
   • Uses the configured anti-malware solution to scan the file
   • Requires proper configuration to function

It is strongly recommended to make sure all of these checks are enabled to ensure comprehensive protection.

Configuration

File extension check

Available in: Lime Admin > System > Files > Security > Allowed file extensions

When performing the File extension check, the system compares each uploaded file's extension against this list, enabling administrators to manage which file types are allowed.

If the allowlist is left empty, the system falls back to the default allowlist defined in the service configuration. If no default allowlist is defined, all file extensions are allowed.

Warning

Leaving the allowlist empty without a system default means that any file extension can be uploaded, which may expose the system to unwanted or malicious files.
To maintain security, it is strongly recommended to explicitly configure the allowlist.

Configuring the default allowlist

The default allowlist for file extensions is configured at the service level and applies when no application-specific allowlist is set in Lime Admin.

file:
  security:
    extension_allowlist:
      - txt
      - pdf
      - jpg

The configuration follows the same format as when performed from Lime Admin:

• Extensions are defined without leading dots, txt instead of .txt
• Supports extensions with multiple segments, e.g. tar.gz

Configuration Methods:

Lime CloudOn-Premise

For Lime Cloud environments, the service configuration is managed through the Cloud Admin tool:

1. Navigate to your Application Cluster's Overview tab
2. Locate the Service Configuration (json) section

3. Locate (or add) the file.security section:

   {
       "appserver_config": {
           "service_config": {
               "file": {
                   "security": {
                       "extension_allowlist": [
                           "txt", "pdf", "jpg"
                       ]
                   }
               }
           }
       }
   }
   

4. Add or modify the extension_allowlist array

5. Apply the configuration changes

For on-premise installations, update the service configuration file:

file:
  security:
    extension_allowlist:
      - txt
      - pdf
      - jpg

---

Best Practices:

• Include only the file extensions that are actually needed for your business processes
• Regularly review and update the allowlist based on security requirements
• Consider the security implications of each file type before adding it to the list
• Test the configuration after changes to ensure it works as expected

Tip

Start with a restrictive list and add extensions as needed rather than starting with a permissive list and removing extensions later.

File content verification

Note

This section applies only if File content verification is enabled and properly configured.

Available in: Lime Admin > System > Files > Security > File content check

When performing File content verification, the system examines the contents of an uploaded file to determine its type and check that it matches the file's extension. If the type is not recognized, administrators can provide additional mappings between file types (MIME types) and extensions.

Validate File

Available in: Lime Admin > System > Files > Security

The system includes a Validate File tool that lets you test an uploaded file against the current file security settings. Each file is checked using the configured validation steps.

Once the validation is complete, the system presents a step-by-step summary showing whether each check passed, failed, or was skipped.

If a file fails a check, the interface may offer possible actions to update the settings. These are only available for specific validation steps and allow administrators to adjust security settings when needed to accept the file.

Note

The File size check is enforced in the web client and at the web server level (nginx) and is therefore not included in the file validation summary.