Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Get Fabric Certified for FREE during Fabric Data Days. Don't miss your chance! Learn more

Reply
ynt
Regular Visitor

Prevent end-user from uploading malicious file types

‎10-17-2018 06:25 PM

We recently performed penetration testing and found several vulnerabilities including the issue with unrestricted file upload that pose significant risk.

 

Is there a configuration in Power BI Report Server to use a whitelist method to prevent end-user from uploading malicious file type like .exe, .py, etc.?

 

Thanks.

 

Message 1 of 7
2,623 Views
0
6 REPLIES 6
Jon-Heide
Microsoft Employee
Microsoft Employee

‎10-22-2018 02:23 PM

Yes, this is whitelisted under the TrustedFileFormat property, editable through SQL Management Studio when you connect to the PBIRS instance.  

Message 2 of 7
2,586 Views
ynt
Regular Visitor
In response to Jon-Heide

‎10-23-2018 09:49 AM
@Jon-Heide wrote:

Yes, this is whitelisted under the TrustedFileFormat property, editable through SQL Management Studio when you connect to the PBIRS instance.  


This setting does not prevent user from downloading/uploading malicious file types

 

https://docs.microsoft.com/en-us/sql/reporting-services/tools/server-properties-advanced-page-report...

 

TrustedFileFormat Set all the external file formats that open within the browser under the Reporting Services portal site. External file formats not listed prompts to download the option in the browser. The default values are jpg, jpeg, jpe, wav, bmp, pdf, img, gif, json, mp4, web, png.

Message 7 of 7
2,570 Views
0
Jon-Heide
Microsoft Employee
Microsoft Employee
In response to Jon-Heide

‎10-22-2018 02:26 PM

You can also use server permissions to disallow users from uploading content in general. 

Message 3 of 7
2,584 Views
0
ynt
Regular Visitor
In response to Jon-Heide

‎10-23-2018 09:50 AM

@Jon-Heide 

@Jon-Heide wrote:

You can also use server permissions to disallow users from uploading content in general. 


Can you please point me to this particular setting?

Message 4 of 7
2,569 Views
0
ynt
Regular Visitor
In response to Jon-Heide

‎10-23-2018 03:07 PM
@Jon-Heide wrote:

https://docs.microsoft.com/en-us/sql/reporting-services/security/granting-permissions-on-a-native-mo...

For our use case, we can't disable the upload feature. We need to be able to whitelist certain file types that can be uploaded to PBI Report Server.

Message 6 of 7
2,555 Views
0

Helpful resources

Announcements
Fabric Data Days Carousel

Fabric Data Days

Advance your Data & AI career with 50 days of live learning, contests, hands-on challenges, study groups & certifications and more!

October Power BI Update Carousel

Power BI Monthly Update - October 2025

Check out the October 2025 Power BI update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All