Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Be one of the first to start using Fabric Databases. View on-demand sessions with database experts and the Microsoft product team to learn just how easy it is to get started. Watch now

Reply
ynt
Regular Visitor

Prevent end-user from uploading malicious file types

‎10-17-2018 06:25 PM

We recently performed penetration testing and found several vulnerabilities including the issue with unrestricted file upload that pose significant risk.

 

Is there a configuration in Power BI Report Server to use a whitelist method to prevent end-user from uploading malicious file type like .exe, .py, etc.?

 

Thanks.

 

Message 1 of 7
2,254 Views
0
6 REPLIES 6
Jon-Heide
Microsoft Employee
Microsoft Employee

‎10-22-2018 02:23 PM

Yes, this is whitelisted under the TrustedFileFormat property, editable through SQL Management Studio when you connect to the PBIRS instance.  

Message 2 of 7
2,217 Views
ynt
Regular Visitor
In response to Jon-Heide

‎10-23-2018 09:49 AM
@Jon-Heide wrote:

Yes, this is whitelisted under the TrustedFileFormat property, editable through SQL Management Studio when you connect to the PBIRS instance.  


This setting does not prevent user from downloading/uploading malicious file types

 

https://docs.microsoft.com/en-us/sql/reporting-services/tools/server-properties-advanced-page-report...

 

TrustedFileFormat Set all the external file formats that open within the browser under the Reporting Services portal site. External file formats not listed prompts to download the option in the browser. The default values are jpg, jpeg, jpe, wav, bmp, pdf, img, gif, json, mp4, web, png.

Message 7 of 7
2,201 Views
0
Jon-Heide
Microsoft Employee
Microsoft Employee
In response to Jon-Heide

‎10-22-2018 02:26 PM

You can also use server permissions to disallow users from uploading content in general. 

Message 3 of 7
2,215 Views
0
ynt
Regular Visitor
In response to Jon-Heide

‎10-23-2018 09:50 AM

@Jon-Heide 

@Jon-Heide wrote:

You can also use server permissions to disallow users from uploading content in general. 


Can you please point me to this particular setting?

Message 4 of 7
2,200 Views
0
ynt
Regular Visitor
In response to Jon-Heide

‎10-23-2018 03:07 PM
@Jon-Heide wrote:

https://docs.microsoft.com/en-us/sql/reporting-services/security/granting-permissions-on-a-native-mo...

For our use case, we can't disable the upload feature. We need to be able to whitelist certain file types that can be uploaded to PBI Report Server.

Message 6 of 7
2,186 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

Dec Fabric Community Survey

We want your feedback!

Your insights matter. That’s why we created a quick survey to learn about your experience finding answers to technical questions.

ArunFabCon

Microsoft Fabric Community Conference 2025

Arun Ulag shares exciting details about the Microsoft Fabric Conference 2025, which will be held in Las Vegas, NV.

December 2024

A Year in Review - December 2024

Find out what content was popular in the Fabric community during 2024.

View All