MicroStrategy ONE

Enable Enforcing File Path Validation

MicroStrategy Web and Library are designed to not use any path from a user controlled input. For additional security, Web and Library supports enforcing file path validation before accessing files.

To enable enforcing file path validation:

  1. Add the following line to the WEB-INF\xml\sys_defaults.properties file:
    2. Copy 
    enableFilePathValidation=1

    After you enable the feature, only files under the web application root folder can be accessed. For example, apache-tomcat-9\webapps\MicroStrategyLibrary.

    Access to other files that are outside of the web application root folder will be denied. If you do not want access to other files, you can skip the next step.

  2. If you want to allow access to files that are outside of the web application root folder, the file path pattern must be added to the mstrExternalConfigurationFileAllowList file.

    3. The mstrExternalConfigurationFileAllowList file must be placed in a class path that can be loaded by the web application. For example, apache-tomcat-9\webapps\MicroStrategyLibrary\WEB-INF\classes\mstrExternalConfigurationFileAllowList.

    Each line in the mstrExternalConfigurationFileAllowList file defines the allowed access path using glob syntax. The line can not be parsed and will be ignored.

    For more information on the supported glob syntax, see the FileSystem.getPathMatcher(String) section of Oracle's Class FileSystem documentation.

    Examples of file patterns in mstrExternalConfigurationFileAllowList:

    • Matches one absolute file path on Windows platform: D:\\trusted.jks

      • Note the backslash is deleted.

    • Matches all files underneath /home on UNIX platforms: /home/**

  3. Once your configuration is complete, restart the web server to apply the changes.