We're sorry Aspose doesn't work properply without JavaScript enabled.

Free Support Forum - aspose.com

CSV injection risk assessment

Hello,

a common risk with sheets is CSV injection, targeting the user when he downloads an excel file (e.g. =cmd|’ /C calc’!A0). That is because Excel can evaluate formulas.

Aspose can also evaluate formulas (cell.DisplayStringValue is the result of evaluation as per documentation). When a CSV file is read in by Aspose, what measures are taken that a malicious CSV file is not evaluated to attack the server itself (not the user)? Does Aspose even evaluate cmd or bash commands at all, or just Excel functions, or a subset thereof?

Thank you very much,

Andreas

@afriedrich,

Please note, Aspose.Cells does not evaluate or calculate formulas which involve external reference to programs (calls), external files or execute scripts in the formulas, so the formula “=cmd|’ /C calc’!A0” won’t be calculated at all. Also, similar critical formulas won’t be calculated as well.

Hope, this answers your doubts.

@Amjad_Sahi Excellent, thank you very much!

@afriedrich,

You are welcome.