Supported image extensions and attachment types

By Knowledge Base posted 01-30-2015 16:54

Attachment file types allowed in Jama
Jama users can add attachments to items and projects via several means that are outlined in the table below.

Jama filters the file types that users can upload as an attachment to prevent uploading certain file types that can potentially be harmful. With the release of 2015.2, Jama has switched from using a blacklist to whitelist to filter attachment file types. The table below shows which method is being used in different versions of Jama.

Filtering attachment file types using a  whitelist
Jama replaced the blacklist with a whitelist in the on-premises 2015.2 release. Jama will only allow attaching file types that exist in the whitelist. This change is to improve security in Jama and to prevent uploading harmful file types that are not blacklisted for any reason. Jama is also adopting a much stricter MIME type validation along with the whitelist. Jama will not rely on the file extension only and will validate that the file type actually matches the file extension. These changes will go into effect for hosted customers in November 2015.

How will changing from whitelist to blacklist impact users?
Replacing the blacklist with the whitelist will not impact users' experience with Jama in most cases. However, since ".html" file type is not in our whitelist, users can only Save the report in an html format and cannot Open it from Jama. If users click Open, the html report will still be downloaded.

Images in HTML output of reports that have a relative path will not show after saving the reports and opening them locally from users' computer. A relative path does not include the server address while. a full path starts with Jama server address. For example "/report/image/birtimage.jpg" is a relative path, and ""; is a full path. This behavior exists in all versions of Jama and is not a side effect of using whitelist vs. blacklist. However, it may stand out once users have only the option of opening HTML report outputs locally. For example, images that are generated by BIRT reports have a relative path and users will not see them if they open the HTML open locally from their machine. The images that have a full path to their source will still show if the Image Security is not on. 

You can still select the HTML format as output of a report, but the HTML file must be downloaded and images may not be visible. Jama is leaving the HTML as an option because it can be useful for testing reports. 

If users want to Open the report outputs and also view images, we recommend changing the default output of the reports to Word or PDF instead of HTML. On-premises customers can make this change by following the below instructions.

Log in as Jama Admin > go to Admin page > find the report and click on Edit. You can select PDF and Word outputs in Reports Format instead of HTML. Our hosted customers need to open a Support Ticket to change the output of their reports.

Jama whitelist for attachments
We collected the file types based on the usage pattern of our current customers and screened each one for possible security risks, which determined the whitelist below.

Existing attachments that are not on the whitelist will still be downloadable but will not be viewable in the browser. You will see the error message when trying to upload a file type that is not in the whitelist.

If there is a file type that you attach to Jama items regularly and is missing from our whitelist please let us know so that we can consider adding it to the whitelist in the future, provided it doesn't present any security risk.

Filtering attachments using a blacklist
Jama 2015.1 and prior and the September 2015 hosted release use a blacklist to filter the file types that users can upload as an attachment.
With the blacklist method, users can upload any file type as an attachment except for the ones that are in the blacklist. The list of file types that are blacklisted is as follows: 
"exe", "cgi", "php", "rb", "pl", "sh", "smx", "jsp", "lasso", "msi", "386", "app", "asp", "bat", "chm","com", "cmd", "crt", "hta", "req", "vbs", "php2", "php3", "hlp", "msp", "py", "swf" , "html"(hosted only), "htm"(hosted only), "js"(hosted only)
We have recently added HTMLHTML, and js to the blacklist of our hosted customers. This is due to some security concerns that allowing HTML and js files would cause. Users can potentially write code to extend Jama's UI. Allowing HTML and js file types opens up the possibility for a user to upload malicious code that extracts data.  We have no evidence that this vulnerability has ever been exploited, but we have blocked the possibility for your protection.

Inserting image files into items using Rich Text Editor fields
Jama hosted and on-premises versions only allow the following image types to be inserted into an item as an embedded image:
  •  jpeg, jpg
  •  gif
  •  png 
  •  bmp
  •  svg* (2015.2+ and hosted)
If users attempt to insert an image type that is not among the list above, Jama will not recognize it and will prompt the user with a "You must select an image" message. 

Note on Image Security 

Image Security is intended to provide more security for organizations and make images viewable to users with proper permission. Image Security settings are configured through the "root" login. Our on-premises customers can configure that from the root login > General Properties > Enhanced Image Security

If Image Security is turned on, users can view the image using the image URL in their browser only if the users are logged in. If the users are not logged in and try to access the image using the image URL, they will be prompted with the login page first. For example, if you try to view the image in one of our hosted server with via the URL you will be prompted with a login page and cannot view the image because Image Security is turned on.

If Image Security is turned off, users can view images in a browser by using the image URL. In order to find the image URL, go to Item View > select Edit > Source and search for "src" attribute in the "" tag ( ). 

The Image Security is turned on by default for our hosted customers. This means users need to first login to Jama in order to access images individually in a browser. We will not turn off image security for hosted customers except temporarily to troubleshoot.

If the Image Security is turned on and you still can access images individually in a browser without being logged in, that can be because the browser has cached the image. Jama caches images for 60 days in clients' browser. 


*While users can insert SVG into an item in hosted Jama and on-premises 2015.2, our support for SVG images is limited. Microsoft Word does not support SVG images, therefore, SVG images will not show in exports or reports in Word format. There are also issues with specific browsers and with changing size or layout of an SVG image. Inserting SVG images are not allowed in on-premises 2015.1 and prior.



09-10-2015 15:18

Hey Mary,

You are not able to import images via the SOAP API.  This should hopefully change with the release of our REST API but current SOAP does not allow this.

09-04-2015 16:20

Does this mean that you can import all of these image types via the SOAP API too?