I want to restrict file uploads (HTTP POST requests) with specific extensions to my web server.
Short description
When you analyze the POST data of an HTTP request, uploaded content can be one of two types:
Note: AWS WAF inspects the first 8 KB (8,192 bytes) of the request body. For information on larger body requests, see Handling oversize web request components in AWS WAF.
To restrict file uploads that use a specific file extension, such as .pdf, .docx, or .exe, complete the following steps:
- Create a custom web access control list (web ACL) rule to inspect the request BODY.
- Create a regex match condition within the rule. Use this regex pattern to configure the rule to restrict multiple file extensions.
- Set the rule action to BLOCK.
- Define the rule priority so that this custom rule has a higher priority than any web ACL rule that can block this rule.
- Validate that the rule successfully blocks the specific file extension.
Resolution
Identify the type of content that the POST data uses
The POST data inside HTTP requests typically uses either form data or binary.
- Form data includes any data that a user enters on a web page (or "HTML form") that HTTP sends (or "posts") to a web server.
- A binary payload is anything other than a text payload. For example, a binary payload can be a .jpeg file, a .gzip file, or an .xml file. This includes generic binary data such as from a .pdf application, .jpeg image, or .zip application. For all file extension types, see Media types on the Internet Assigned Numbers Authority (IANA) website.
To identify the type of POST request, see the Content-Type value of the HTTP POST header. The following example contains a Content-Type of multipart/form-data:
Content-Type: multipart/form-data
If the header "Content-Type" has a value of "multipart/form-data" then complete the following steps to create a rule:
-
Open the AWS WAF console.
-
In the navigation pane, under AWS WAF, choose Web ACLs.
-
For Region, choose the AWS Region where you created your web ACL.
Note: If you set up your web ACL for Amazon CloudFront, then select Global.
-
Select your Web ACL. Then, choose the Rules tab.
-
Choose the Add Rules dropdown list, and then choose Add my own rules and rule groups.
-
For the Rule type, choose Rule Builder.
-
For Name, enter a name to identify this rule.
-
For Type, choose Regular rule.
-
For If a request, choose matches the statement. Then, complete the following fields for the Statement
For Inspect, choose Body.
For Content type, choose JSON.
For JSON match scope, choose Values.
For How AWS WAF should handle the request if the JSON in the request body is invalid, choose the relevant option for your use case.
For Content to inspect, choose Full JSON content.
For Match type, choose Matches regular expression.
For Regular expression, enter a regex-pattern to match. See the following example:
(?:.pdf|.doc|.docx|.ppt)
-
(Optional) For Text transformation, you can add a text transformation, or keep these fields as None.
-
For Oversize Handling, choose the relevant option for your use case.
-
For Action, choose Block.
-
Choose Add Rule.
-
(Optional) For Set Rule Priority, select your rule and move its priority. AWS WAF processes the rules in the order that they appear. For more information, see Processing order of rules and rule groups in a web ACL.
-
Choose Save.
Validate that the rule works as expected.
If the header "Content-Type" has a binary value such as "application/pdf" or "application/ppt" then complete the following steps to create a rule:
-
Open the AWS WAF console.
-
In the navigation pane, under AWS WAF, choose Web ACLs.
-
For Region, choose the AWS Region where you created your web ACL. Note: If you set up your web ACL for Amazon CloudFront, then select Global.
-
Select your Web ACL. Then, choose the Rules tab.
-
Choose the Add Rules dropdown list, and then choose Add my own rules and rule groups.
-
For the Rule type, choose Rule Builder.
-
For Name, enter a name to identify this rule.
-
For Type, choose Regular rule.
-
For If a request, choose matches the statement. Then, complete the following fields for the Statement:
For Inspect, choose Single header.
For Header field name, enter Content-Type.
For Match type, choose Matches regular expression.
For Regular expression, enter a regex-pattern to match.
See the following example for .pdf and .jpeg files:
(?:pdf|jpeg)
-
(Optional) For Text transformation, you can add a text transformation, or keep these fields as None.
-
For Action, choose Block.
-
Choose Add Rule.
-
(Optional) For Set Rule Priority, select your rule and move its priority. AWS WAF processes the rules in the order that they appear. For more information, see Processing order of rules and rule groups in a web ACL.
-
Choose Save.
-
Validate that the rule works as expected.
Note: To restrict the rule for a specific upload URI path, use an AND statement inside the web ACL rule that inspects the path.