Change: Restrictions to files that can be uploaded to ServiceNow
Effective: 2017/10/11
Release: 5.8.0
Purpose
To protect the platform and its users from malicious files that can be uploaded to the platform. Files can be uploaded to the platform via email, which can allow unaffiliated users the ability to upload dangerous files without interaction from platform users.
While this cannot guarantee protection, we are working to strike a balance between ability to use the platform and protection. Many file types, such as images, have been used in attacks in the past, but blocking images would be detrimental to users of the platform.
Changes
The types of files that can be uploaded to ServiceNow is being restricted.
Permitted File Types
| File extensions | Description |
|---|---|
| xls, xltx, xlsx | Microsoft Excel Documents |
| doc, dotx, docx | Microsoft Word Documents |
| ppt, pptx, potx | Microsoft Powerpoint Documents |
| Adobe Acrobat files | |
| png, tiff, jpeg, jpg, gif, bmp, heif, heic, webp | Image files |
| text | Plain text file |
| csv | Comma Separated Values |
| pgp | pgp signatures |
| pub | Publisher files |
| ics | Calendar File |
| odt, ods, odp, odg, odf | Open Document Formats |
| mp4, mpeg, mpg, m4v, qt, webm | Video formats |
| vdx | Visio document |
| rpt | Crystal Reports documents |
| eml | Email file |
| dwg | AutoCAD file |
Prohibited File Types
| File Extension | Description | Reason for prohibition |
|---|---|---|
| exe, app, bin | Executable or binary files | These are common avenues of compromise. If there is a need to share these files, this might best be handled using a service such as Box. |
| py | Python Scripts | ServiceNow is not secure enough to store python scripts and we do not want to expose the platform to a malicious python script, even if just uploaded. |
| rtf | Rich Text Files | This is a are very open document format. The need of these might be better handled with Microsoft Word or an Open Document Text file (odt). |
| html | HTML Files | This being a primarily web based platform, this can be a threat to users. |
| zip, gzip, gz, tar, 7z, etc | Archive or zip files | These can be used to go around our current restrictions. They can house malicious files and can even be constructed to be malicious themselves. |
| xml | XML Files | ServiceNow uses XMLs heavily in platform. While there are no known vulnerabilities with XML, we want to restrict the uploading of XMLs into ServiceNow to protect it against yet-to-be-discovered vulnerabilities. |
| pem | Cryptographic keys | These can be highly sensitive files which ServiceNow should not be holding onto. Use a more secure place to store these files. |
| mp3, m4a, aac, wav, m4b, wma | Audio Files | There are few known vulnerabilities with audio files. With only .015% of uploads (less than 20) over 6 months, these did not look to be a good addition to the approved list. |
| json, sh, vbs, ps1 | Script files | These can be common avenues for compromises, both to customers and the ServiceNow platform. |
| * | Anything not mentioned here | There was not enough use (or any use) to warrant inclusion in this list. If you need a new file extension added, please see the FAQ. |
FAQ
-
If I need a file type added to the list, how can I have it added?
Send a request to servicenow-support@berkeley.edu or create an incident and assign it to the ServiceNow Platform Support assignment group with:
- The file extension
- What type of file it is, such application it would be used with
- Business need for the file to be in ServiceNow
We will review the request and inform you of the result as soon as we can. Adding the permitted file, if approved should not take longer than 24 hours after approval
-
What happens if I email in a prohibited file type?
The attachment will be dropped without notifying the sender. This is important so that we do not create loops with senders or mail subsystems when the from address is spoofed. The agent will also not receive any notification or message that the attachment is dropped. There is nothing we can do to add that feature to the platform. The email subsystem is beyond our ability to customize.
-
What happens if I attempt to attach a prohibited file type while using the website?
ServiceNow will show a dialog immediately after selecting or dropping the file that it was not uploaded due to it’s type.
-
How did you decide what file extensions to permit?
We analyzed the last 6 months of files (filetype and date only, no other information was used) to make sure that we met the need of the majority of files that are uploaded (>95% of uploaded files). We also used information about common vulnerabilities (we excluded Office Macro documents due to their use is attacks) to help us decide which to permit. File types that were not often used and did not provide a clear business need (such as audio files) were not permitted. If such a need is there, we can evaluate and add the file type if appropriate.