7 Replies Latest reply on Jan 4, 2018 10:20 AM by Samantha León

    Remove the xxxx.js.gz Files

    Michael Goo

      Our tableau servers went through a web security scan and several items came up as an issue.

       

      "Webinspect has detected an archive file with the .gz extension on the target server. The severity of the threats posed by the web-accessible backup files depends on the sensitivity of the information stored in original document. ............."

       

      The files are located:

      ...\Apps\Tableau\Tableau Server\9.2\vizportalclient\public

       

       

      My question is what are the consequences of removing the .gz files from the server?

        • 1. Re: Remove the xxxx.js.gz Files
          Paul Moran

          Hi Michael,

           

          The .gz files in question are used during the installation process to reduce the size of the JavaScript files that they contain. This is done to save space inside the installer and the files are extracted for use during the installation process.

           

          These .gz files are not usable outside of the context of the application.

           

          The archived .gz files located in the Tableau Server folders should not be removed. While Tableau Server may function without the presence of these files, editing the files will place Tableau Server in an unsupported configuration. This may require a reinstallation of the files and/or Tableau Server in order to perform future troubleshooting.

           

          Paul

          3 of 3 people found this helpful
          • 2. Re: Remove the xxxx.js.gz Files
            Russell Christopher

            ...and to add to what Paul has said, the warning message from your scanner actually sums up the risk pretty well:

             

            The severity of the threats posed by the web-accessible backup files depends on the sensitivity of the information stored in original document

             

            The .gz file is nothing more than a zipped version of a file in the same folder that is completely public with nothing sensitive in it at all...so there's no risk here.

            3 of 3 people found this helpful
            • 3. Re: Remove the xxxx.js.gz Files
              Michael Goo

              Paul & Russell,

               

              Thank you very much for your response and explanations. Now I have to convince the InfoSec manager, who knows nothing about Tableau Server, to let these be.

               

              Again, I appreciate the assist.

              • 4. Re: Remove the xxxx.js.gz Files
                Russell Christopher

                These automated vulnerability scanners throw a lot of false positives because they can't know how the apps they're scanning actually behave and are built.

                 

                This is a pretty cut and dry example of "Fuggedaboutit" common sense, so I don't think there should be any problems. If worse comes to worse, you can open up a case with Technical Support and they can get you an "official" statement that essentially says the same thing...but it'll take a while, and both you and your InfoSec guy have much more important stuff to wait on

                • 5. Re: Remove the xxxx.js.gz Files
                  Samantha León

                  Hi! Paul Moran Can you tell me if is this the same for these files with the html extension?

                  • login.html.gz
                  • passwordBox.html.gz
                  • requestPasswordReset.html.gz

                   

                  Thak you!

                  • 6. Re: Remove the xxxx.js.gz Files
                    Paul Moran

                    Hi Samantha,

                     

                    The functionality within these .html.gz files needs to be available for the Tableau Server login page and Guest user to function correctly. There is no sensitive information or logic stored in them, so these do not pose a security problem having them available without authentication.

                     

                    As Russell Christopher mentions above you could open up a support case with Tableau Technical Support and they can get you an "official" statement that will tell you that the .html.gz files being present does not cause a security risk.

                     

                    - Paul

                    1 of 1 people found this helpful
                    • 7. Re: Remove the xxxx.js.gz Files
                      Samantha León

                      Great!! Thank you!!