How to Detect Password Protected Files in your File Upload Process using JavaScript
While document security is an important practice in general, we don’t want client-side uploads with password protection entering our sensitive databases. Threat actors often use encrypted/password-protected files to bypass file scanning policies and rely on social engineering tactics to supply a password that unleashes hidden malware later on.
With the below code, you can simultaneously scan files for virus and malware signatures AND identify documents with password-protection through in-depth content verification. Of course, you don’t have to block password protected files if it doesn’t fit your specific needs — that’s totally up to your discretion. Setting the optional “allowPasswordProtectedFiles” parameter to “false” will return a “CleanResult: False” API response for files containing password protection measures, allowing you to stay on the safe side and treat such files as though they contain malicious content.
You can easily structure your API call using the below JavaScript code examples (this uses the XHR capability):
var data = new FormData();
data.append("inputFile", fileInput.files[0], "file");
var xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function() {
if(this.readyState === 4) {
console.log(this.responseText);
}
});
xhr.open("POST", "https://api.cloudmersive.com/virus/scan/file/advanced");
xhr.setRequestHeader("allowExecutables", "<boolean>");
xhr.setRequestHeader("allowInvalidFiles", "<boolean>");
xhr.setRequestHeader("allowScripts", "<boolean>");
xhr.setRequestHeader("allowPasswordProtectedFiles", "<boolean>");
xhr.setRequestHeader("allowMacros", "<boolean>");
xhr.setRequestHeader("allowXmlExternalEntities", "<boolean>");
xhr.setRequestHeader("allowInsecureDeserialization", "<boolean>");
xhr.setRequestHeader("allowHtml", "<boolean>");
xhr.setRequestHeader("restrictFileTypes", "<string>");
xhr.setRequestHeader("Apikey", "YOUR-API-KEY-HERE");
xhr.send(data);To authenticate your request via the “Apikey” parameter, supply a free-tier Cloudmersive API key (this allows up to 800 API calls per month with no additional commitment).
Just like that, you can quickly bolster your file upload threat profile and avoid unnecessary risks associated with password protected files.
