Knowledge Base

Supported image and attachment file types in Jama

By Shabnam posted 11-05-2015 19:12

  
Attachment file types allowed in Jama

Jama users can add attachments to items and projects via several means that are outlined below.


Jama 2015.2 and newer Jama will allow attaching only file types that exist in the whitelist. Jama will not rely on the file extension only and will validate that the file type actually matches the file extension. These changes went into effect for hosted customers in December 2015 and were included in Jama 2015.2.

We collected file types based on the usage pattern of our current customers and screened each one for possible security risks, which determined the whitelist below (as of Jama 8.0.2). 

"apk", "avi", "bmp", "btt", "cfa", "csv", "doc", "docm", "docx", "dot", "dotx", "dwg", "gif", "gz", "jama", "jpeg", "jpg", "md", "mov", "mp3", "mp4", "mpeg", "odg", "odp", "ods", "odt", "pages", "pdf", "pgp", "png", "ppt", "pptm", "pptx", "rar", "rtf", "tgz", "tif", "tiff", "tra", "txt", "vcs", "vsd", "vsdx", "vss", "war", "wav", "wma", "wmv", "wps", "xcf", "xls", "xlsb", "xlsm", "xlsx", "xlt", "xps", "zip", "zipx"

Note:  Jama no longer allows "svg" files for security reasons.

Existing attachments that are not on the whitelist will still be downloadable but will not be viewable in the browser.

You will see this error message when trying to upload a file type that is not in the whitelist.






Adding more file types to the whitelist
If there is a file type that you attach to Jama items regularly and is missing from our whitelist please let us know and we will consider adding it to the whitelist, provided it does not present any security risk. 

  • If you are using on-premises Jama 8.x (On-Premises), you can add allowed file types in the root menu, as described here.
  • If you are using our Hosted solution, please submit a Support ticket referencing your instance URL, and which file type(s) you'd like to add.
  • If you are using on-premises Jama 2015.2 to 2015.5, please open a support ticket and we will provide the instructions. 
 

Jama 2015.1 and prior
Jama 2015.1 and prior use a blacklist to filter the file types that users can upload as an attachment.

With the blacklist method, users can upload any file type as an attachment except for the ones that are in the blacklist. 

The list of file types that are blacklisted is as follows: 

"exe", "cgi", "php", "rb", "pl", "sh", "smx", "jsp", "lasso", "msi", "386", "app", "asp", "bat", "chm","com", "cmd", "crt", "hta", "req", "vbs", "php2", "php3", "hlp", "msp", "py", "swf"

 

Inserting image files into items using Rich Text Editor fields 

Jama hosted and on-premises versions only allow the following image types to be inserted into an item as an embedded image:

"bmp", "gif", jpeg", "jpg", "png" (2015.2+ and hosted *)


If users attempt to insert an image type that is not among the list above, Jama will not recognize it and will prompt the user with a "You must select an image" message.



  

Note on Image Security  

Image Security is intended to provide more security for organizations and make images viewable only to users with proper permission.

Image Security can not be disabled in Jama 8.0.2 and later or for our hosted customers. (See more on image security.) This means users need to first login to Jama in order to access images individually in a browser. 


In Jama 2015.5 and earlier, Image Security settings are configured through the "root" login. Our on-premises customers can configure that from the root login > General Properties > Enhanced Image Security.   

If Image Security is turned on, users can view the image using the image URL in their browser only if the users are logged in. If the users are not logged in and try to access the image using the image URL, they will be prompted with the login page first. 

If Image Security is turned off, users can view images in a browser by using the image URL. In order to find the image URL, go to Item View > Edit > Source and search for "src" attribute in the "img" tag. 


If Image Security is turned on and you still can access images individually in a browser without being logged in to Jama, that can be because the browser has cached the image. Using default browser settings, Jama caches images for 60 days in a client's browser.

#requirementsmanagement
Edited 11/29/18 Chloe Elliott
17 comments
906 views

Comments

11-14-2016 20:06

Hi everyone. This thread started a while back (prior to Jama 8) so I wanted to close the loop on this discussion. Thanks for all of the feedback and suggestions!

As of Jama 8, on-premises customers can easily modify the whitelist on the System Properties tab in the root admin console. Take a look at this page from the user guide for additional information.

For hosted customers, you can submit a support ticket with a request to add file types that aren't on the default list. You can find the default list on that same user guide page I mentioned above.

08-22-2016 23:10

I'm trying to upload some approvals that I got in email format, but Jama does not seem to allow for that.  Specifically i need .msg and .eml formats to be allowed. 

06-06-2016 21:27

Yes, if you're on 2015.5 you can edit the whitelist yourself. If you submit a support ticket, we can give you the instructions on how to do that.

As far as your surprise about Outlook not making the whitelist, I can tell you what happened there. We generated a list of the attachments used in our hosted environment and added the 100 or so most used file types—so if the file types were used by multiple organizations and could not be considered potentially risky, they were added. Given the high usage of Outlook you would think that it was a highly used file type in the attachments widget, but apparently not!

06-06-2016 17:57

Us too.  I'm a little surprised that Outlook messages weren't included in the initial whitelist.  Is there any solution for those of us on 2015.5?

05-12-2016 15:45

Andreas, that's true...definitely not the most user friendly! However, abilities to update the whitelist are on their way. :D

05-12-2016 10:27

Hi,

I just recognized that .log and .xml are not on the whitelist.

As I don't feel these file types are critical you may add them to the whitelist.

In the meantime I can, of course, change the extension to .txt which might be ok for .log but not that nice for .xml given that users may use advanced editors with syntax highlighting to read/modify such files. In that case they would need to download, rename, modify, rename, upload. Not very user firendly... ;-)

BR, Andreas

03-09-2016 16:30

post contains an idea

Please reference the new conversation here: Root user should be able to configure attachment whitelist

03-09-2016 00:44

Thanks Shabnam.

Hi Kristina,

can you convert this to an Idea, or should I resubmit?

Thanks,

Ed

03-08-2016 23:37

Hello Ed! That seems to be a reasonable request. When we first made the change,the main priority was to implement whitelist to improve security of Jama and prevent uploading file types that expose security holes. Configuring the whitelist did not have as high a priority when we were delivering it as we still had a solution. I still think this is a great request and can be added as an Idea in our community

03-08-2016 22:54

Hi,

our admin had a good suggestion. Is there any reason why the whitelist couldn't be configured by root in the web interface? That would make it very easy and customizable should any user decide there was a need for a particular extension type.

Thanks,

Ed

02-23-2016 21:41

Brad, thank you for letting us know so we can better scope these needs. Approximately how often is this file type used? 

02-23-2016 17:35

Would like to request file extension .mpj (Minitab) to be added as as supported attachment file type.
Currently we are using 2015.3 on-prem. and would need that added to "our" whitelist at a minimum.

Regards,

Brad Suhorepetz

02-04-2016 22:07

Thanks for letting me know. I'll see what we can do.

02-04-2016 16:16

Can you please add ".mpp" to the whitelist? It is strange that I see it neither in the whitelist nor in the blacklist above. Justification to include .mpp is fairly obvious. We are using the hosted Jama as our only collaborative tool and it is hard to convert an .mpp to xls everytime I need to upload a Microsoft Project file. Thanks. 

02-04-2016 00:56

thanks for letting us know.

01-28-2016 10:14

We have a need to attach outlook emails (.msg) to items, so we can track discussions and decisions that have been made outwith of Jama.

12-18-2015 00:37

A Customer in support ticket #27085 has mission critical need to allow .tra files to be uploaded.  These are outputs from the product Test Evidence (https://testevidence.com/) and are just zipfiles with a different extension.