MicroStrategy ONE
Enable Enforcing File Path Validation
MicroStrategy Web and Library are designed to not use any path from a user controlled input. For additional security, Web and Library supports enforcing file path validation before accessing files.
To enable enforcing file path validation:
- Add the following line to the
WEB-INF\xml\sys_defaults.properties
file: - If you want to allow access to files that are outside of the web application root folder, the file path pattern must be added to the
mstrExternalConfigurationFileAllowList
file. - Matches one absolute file path on Windows platform:
D:\\trusted.jks
- Matches all files underneath /home on UNIX platforms:
/home/**
- Once your configuration is complete, restart the web server to apply the changes.
enableFilePathValidation=1
After you enable the feature, only files under the web application root folder can be accessed. For example, apache-tomcat-9\webapps\MicroStrategyLibrary
.
Access to other files that are outside of the web application root folder will be denied. If you do not want access to other files, you can skip the next step.
The mstrExternalConfigurationFileAllowList
file must be placed in a class path that can be loaded by the web application. For example, apache-tomcat-9\webapps\MicroStrategyLibrary\WEB-INF\classes\mstrExternalConfigurationFileAllowList
.
Each line in the mstrExternalConfigurationFileAllowList
file defines the allowed access path using glob syntax. The line can not be parsed and will be ignored.
For more information on the supported glob syntax, see the FileSystem.getPathMatcher(String) section of Oracle's Class FileSystem documentation.
Examples of file patterns in mstrExternalConfigurationFileAllowList
:
Note the backslash is deleted.