Skip to content

CCM-13489: allow docx upload #125

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
harrim91 merged 6 commits into from
Feb 5, 2026
+142 −4
Merged

CCM-13489: allow docx upload #125

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
b4b1b72
CCM-13489: allow docx upload
harrim91 Feb 3, 2026
d657cde
CCM-13489: fix
harrim91 Feb 3, 2026
4698b54
Revert "CCM-13489: fix"
harrim91 Feb 3, 2026
e555025
Revert "CCM-13489: allow docx upload"
harrim91 Feb 3, 2026
8192335
CCM-13489: allow docx
harrim91 Feb 3, 2026
d6e9381
CCM-13489: add bsl page for docx upload
harrim91 Feb 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
146 changes: 142 additions & 4 deletions infrastructure/terraform/components/cdn/wafv2_web_acl.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,8 +128,10 @@ resource "aws_wafv2_web_acl" "main" {
field_to_match {
uri_path {}
}
# only uri to allow >8kb body is /templates(~<dynamic environment>)/<create|upload|edit>-letter-template(/<id>)
regex_string = "^\\/templates(~[a-zA-Z0-9_\\-]{1,26})?\\/(create|upload|edit)\\-letter\\-template(\\/[a-z0-9\\-]*)?$"
# only uris to allow >8kb body are:
# - /templates(~<dynamic environment>)/<create|upload|edit>-letter-template(/<id>
# - /templates(~<dynamic environment>)/upload-<standard-english|large-print|other-language>-letter-template
regex_string = "^\\/templates(?:~[a-zA-Z0-9_\\-]{1,26})?\\/(?:(?:create|upload|edit)\\-letter\\-template(?:\\/[a-z0-9\\-]*)?|upload\\-(?:standard\\-english|large\\-print|other\\-language|british\\-sign\\-language)\\-letter\\-template)$"
text_transformation {
priority = 10
type = "NONE"
Expand Down Expand Up @@ -173,6 +175,7 @@ resource "aws_wafv2_web_acl" "main" {
}

statement {
# Block if it’s XSS and it is not a valid PDF upload and not a valid docx upload
and_statement {
statement {
# Check if it has been flagged as XSS
Expand All @@ -182,8 +185,8 @@ resource "aws_wafv2_web_acl" "main" {
}
}
statement {
# Block unless all PDF upload conditions are met
not_statement {
# Check if it is a valid PDF upload
statement {
and_statement {
statement {
Expand Down Expand Up @@ -248,6 +251,73 @@ resource "aws_wafv2_web_acl" "main" {
}
}
}
statement {
not_statement {
# Check if it is a valid docx upload
statement {
and_statement {
statement {
# check it's a docx letter upload endpoint
regex_match_statement {
field_to_match {
uri_path {}
}
regex_string = "^\\/templates(~[a-zA-Z0-9_\\-]{1,26})?\\/upload\\-(standard\\-english|large\\-print|other\\-language|british\\-sign\\-language)\\-letter\\-template$"
text_transformation {
priority = 10
type = "NONE"
}
}
}
statement {
# Check if it's a multipart form upload
byte_match_statement {
field_to_match {
single_header {
name = "content-type"
}
}
positional_constraint = "CONTAINS"
search_string = "multipart/form-data"
text_transformation {
priority = 0
type = "NONE"
}
}
}
statement {
# Check if the multi-part request contains a docx content-type
byte_match_statement {
field_to_match {
body {}
}
positional_constraint = "CONTAINS"
search_string = "Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document"
text_transformation {
priority = 0
type = "NONE"
}
}
}
statement {
# Check if the body has a docx/zip signature (magic bytes check)
# PK\x03\x04 is the zip local file header signature used by docx files
byte_match_statement {
field_to_match {
body {}
}
positional_constraint = "CONTAINS"
search_string = "PK\\x03\\x04"
text_transformation {
priority = 0
type = "NONE"
}
}
}
}
}
}
}
}
}
visibility_config {
Expand Down Expand Up @@ -311,6 +381,7 @@ resource "aws_wafv2_web_acl" "main" {
}

statement {
# Block if it’s SQLi and it is not a valid PDF upload and not a valid docx upload
and_statement {
statement {
# Check if it has been flagged as SQL Injection
Expand All @@ -320,8 +391,8 @@ resource "aws_wafv2_web_acl" "main" {
}
}
statement {
# Block unless all PDF upload conditions are met
not_statement {
# Check if it is a valid PDF upload
statement {
and_statement {
statement {
Expand Down Expand Up @@ -386,6 +457,73 @@ resource "aws_wafv2_web_acl" "main" {
}
}
}
statement {
not_statement {
# Check if it is a valid docx upload
statement {
and_statement {
statement {
# check it's a docx letter upload endpoint
regex_match_statement {
field_to_match {
uri_path {}
}
regex_string = "^\\/templates(~[a-zA-Z0-9_\\-]{1,26})?\\/upload\\-(standard\\-english|large\\-print|other\\-language|british\\-sign\\-language)\\-letter\\-template$"
text_transformation {
priority = 10
type = "NONE"
}
}
}
statement {
# Check if it's a multipart form upload
byte_match_statement {
field_to_match {
single_header {
name = "content-type"
}
}
positional_constraint = "CONTAINS"
search_string = "multipart/form-data"
text_transformation {
priority = 0
type = "NONE"
}
}
}
statement {
# Check if the multi-part request contains a docx content-type
byte_match_statement {
field_to_match {
body {}
}
positional_constraint = "CONTAINS"
search_string = "Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document"
text_transformation {
priority = 0
type = "NONE"
}
}
}
statement {
# Check if the body has a docx/zip signature (magic bytes check)
# PK\x03\x04 is the zip local file header signature used by docx files
byte_match_statement {
field_to_match {
body {}
}
positional_constraint = "CONTAINS"
search_string = "PK\\x03\\x04"
text_transformation {
priority = 0
type = "NONE"
}
}
}
}
}
}
}
}
}
visibility_config {
Expand Down
Loading