Dear Aspose Team,
We are using Aspose products in our solutions for our customers. Some of our customers perform security scans using Veracode, and the reports indicate that certain aspose.imaging.dll may have potential XSS-related issues.
We would like to ask:
- Are you aware of these reported issues?
- Are these findings something to be concerned about, or are they false positives?
- Do you have any official response or guidance that we can provide to our customers regarding these findings?
For reference, I have attached a screenshot of the Veracode report highlighting these issues.
image.png (7.1 KB)
We appreciate your support and look forward to your response.
Yours.
Nghia
@nguyen.xuan.nghia,
Thank you for providing the screenshot and details.
As your issue pertains to the Aspose.Imaging API, I am transferring your thread to the relevant forum. A member of the Aspose.Imaging team will review it and provide the necessary assistance soon.
@nguyen.xuan.nghia Thank you for your request.
XSS-realted vulnerabilities are usually found in sites that allow execution of unauthorized JavaScript. Aspose.Imaging is not a library that directly works with web resources or JavaScript. It is not entirely clear what vulnerabilities are being discussed in this library.
Please write how you plan to use the library, and perhaps you have concerns regarding individual tasks?
I would also like to note that we check our library for vulnerabilities using sonar owasp, sans25 and others. every release.
Thank for you answer.
In my project, I only use Aspose production for:
- Fill data into word template.
- Convert pdf to pdf-a
- Convert word/excel to pdf
- Convert word/excel to image
It appears that these features do not utilize the Aspose.Imaging DLL, yet it is still included in our project. Therefore, we may consider removing the DLL from the project.
Am I right that Convert word/excel to image does not use Aspose.Imaging DLL?
Here is example code we are using:
internal static bool DocFirstPageToImage(string input, string output)
{
try
{
var doc = new AsposeWord.Document(input);
var opt = new AsposeWord.Saving.ImageSaveOptions(AsposeWord.SaveFormat.Jpeg);
// opt.JpegQuality = 150;
opt.HorizontalResolution = 150;
opt.VerticalResolution = 150;
//opt.PageCount = 1;
//opt.PageIndex = 0;
opt.PageSet = new PageSet(new PageRange(0, 0));
doc.Save(output, opt);
return true;
}
catch (Exception ex)
{
LogErrorUltil.LogError(ex);
return false;
}
}
internal static bool PowerPointFirstPageToImage(string input, string output)
{
try
{
//Instantiate a Presentation class that represents the presentation file
using (var pres = new AsposePowerPoint.Presentation(input))
{
//Access the first slide
var sld = pres.Slides[0];
//User defined dimension
//int desiredX = 1200;
//int desiredY = 800;
//Getting scaled value of X and Y
//float ScaleX = (float)(1.0 / pres.SlideSize.Size.Width) * desiredX;
//float ScaleY = (float)(1.0 / pres.SlideSize.Size.Height) * desiredY;
//Create a full scale image
var bmp = sld.GetImage(1.5f, 1.5f);
//Save the image to disk
bmp.Save(output, Aspose.Slides.ImageFormat.Png);
}
return true;
}
catch (Exception ex)
{
LogErrorUltil.LogError(ex);
return false;
}
}
internal static bool ExcelFirstPageToImage(string input, string output)
{
try
{
using (var doc = new AsposeExcel.Workbook(input))
{
var worksheet = doc.Worksheets[0];
var options = new AsposeExcel.Rendering.ImageOrPrintOptions();
options.ImageType = AsposeExcel.Drawing.ImageType.Jpeg;
options.VerticalResolution = 150;
options.HorizontalResolution = 150;
// Sheet2Image By Page conversion
AsposeExcel.Rendering.SheetRender sr = new SheetRender(worksheet, options);
sr.ToImage(0, output);
return true;
}
}
catch (Exception ex)
{
LogErrorUltil.LogError(ex);
return false;
}
}
internal static bool PdfFirstPageToImage(string input, string output)
{
try
{
AsposePdf.Document pdfDocument = new AsposePdf.Document(input);
using (FileStream imageStream = new FileStream(output, FileMode.Create))
{
// Create Resolution object
AsposePdf.Devices.Resolution resolution = new AsposePdf.Devices.Resolution(150);
// Create PNG device with specified attributes (Width, Height, Resolution)
AsposePdf.Devices.PngDevice pngDevice = new AsposePdf.Devices.PngDevice(resolution);
// Convert a particular page and save the image to stream
pngDevice.Process(pdfDocument.Pages[1], imageStream);
// Close stream
imageStream.Close();
}
return true;
}
catch (Exception ex)
{
LogErrorUltil.LogError(ex);
return false;
}
}
internal static bool EmailFirstPageToImage(string input, string output)
{
try
{
// For complete examples and data files, please go to https://github.com/aspose-email/Aspose.Email-for-.NET
// The path to the File directory
MemoryStream ms = new MemoryStream();
MailMessage mailMsg = MailMessage.Load(input);
mailMsg = RemoveSignatureMail(mailMsg);
Aspose.Email.MhtSaveOptions mhtSaveOptions = Aspose.Email.SaveOptions.DefaultMhtml;
mhtSaveOptions.SaveAttachments = AppEnv.PreviewImageViewerPdfToConvertWithImageAttachmentAppendInsidePdf ? true : false;
mailMsg.Save(ms, mhtSaveOptions);
// create an instance of LoadOptions and set the LoadFormat to Mhtml
var loadOptions = new Aspose.Words.Loading.LoadOptions();
// loadOptions.LoadFormat = LoadFormat.Mhtml;
// create an instance of Document and load the MTHML from MemoryStream
var document = new Aspose.Words.Document(ms, loadOptions);
loadOptions.LoadFormat = Aspose.Words.LoadFormat.Mhtml;
var opt = new AsposeWord.Saving.ImageSaveOptions(AsposeWord.SaveFormat.Jpeg);
// opt.JpegQuality = 150;
opt.HorizontalResolution = 150;
opt.VerticalResolution = 150;
//opt.PageCount = 1;
//opt.PageIndex = 0;
opt.PageSet = new PageSet(new PageRange(0, 0));
document.Save(output, opt);
return true;
}
catch (Exception ex)
{
LogErrorUltil.LogError(ex);
return false;
}
}
Thank for your feedback.
Yours.
Nghia