Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now! Learn more

Reply
ynt
Regular Visitor

Prevent end-user from uploading malicious file types

‎10-17-2018 06:25 PM

We recently performed penetration testing and found several vulnerabilities including the issue with unrestricted file upload that pose significant risk.

 

Is there a configuration in Power BI Report Server to use a whitelist method to prevent end-user from uploading malicious file type like .exe, .py, etc.?

 

Thanks.

 

Message 1 of 7
2,793 Views
0
6 REPLIES 6
Jon-Heide
Microsoft Employee
Microsoft Employee

‎10-22-2018 02:23 PM

Yes, this is whitelisted under the TrustedFileFormat property, editable through SQL Management Studio when you connect to the PBIRS instance.  

Message 2 of 7
2,756 Views
ynt
Regular Visitor
In response to Jon-Heide

‎10-23-2018 09:49 AM
@Jon-Heide wrote:

Yes, this is whitelisted under the TrustedFileFormat property, editable through SQL Management Studio when you connect to the PBIRS instance.  


This setting does not prevent user from downloading/uploading malicious file types

 

https://docs.microsoft.com/en-us/sql/reporting-services/tools/server-properties-advanced-page-report...

 

TrustedFileFormat Set all the external file formats that open within the browser under the Reporting Services portal site. External file formats not listed prompts to download the option in the browser. The default values are jpg, jpeg, jpe, wav, bmp, pdf, img, gif, json, mp4, web, png.

Message 7 of 7
2,740 Views
0
Jon-Heide
Microsoft Employee
Microsoft Employee
In response to Jon-Heide

‎10-22-2018 02:26 PM

You can also use server permissions to disallow users from uploading content in general. 

Message 3 of 7
2,754 Views
0
ynt
Regular Visitor
In response to Jon-Heide

‎10-23-2018 09:50 AM

@Jon-Heide 

@Jon-Heide wrote:

You can also use server permissions to disallow users from uploading content in general. 


Can you please point me to this particular setting?

Message 4 of 7
2,739 Views
0
ynt
Regular Visitor
In response to Jon-Heide

‎10-23-2018 03:07 PM
@Jon-Heide wrote:

https://docs.microsoft.com/en-us/sql/reporting-services/security/granting-permissions-on-a-native-mo...

For our use case, we can't disable the upload feature. We need to be able to whitelist certain file types that can be uploaded to PBI Report Server.

Message 6 of 7
2,725 Views
0

Helpful resources

Announcements
Power BI DataViz World Championships

Power BI Dataviz World Championships

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now!

December 2025 Power BI Update Carousel

Power BI Monthly Update - December 2025

Check out the December 2025 Power BI Holiday Recap!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All