Prevent Apsose Cells from loading external content because of SSRF security issue


#1

I have almost the same issue as:

Except I’m not exporting to PDF but to an image. For Word it works perfectly with IResourceLoadingCallback.
But What can I do when I export an Excel sheet to an image?

This is a SSRF security issue for us.


#2

@Fred.Net

Thanks for using Aspose APIs.

Please check this article, it may fit your needs. However, I found, StreamProvider property is not available for ImageOrPrintOptions class. Do you need this property?

Article Link:


#3

This was the solution I was referring to with the issue I mentioned :slight_smile:

But I’m rendering to an image so this is not a solution for me. Adding a StreamProvider to the ImageOrPrintOptions could maybe be an option. But I’m not sure if Excel or other Cells software like OpenOffice support other kinds of external content. And I want to block ALL external content.

So a solution like IResourceLoadingCallback would be the best solution for us.
Adding a StreamProvider to the ImageOrPrintOptions could be a second best option.


#4

@Fred.Net

Thanks for considering Aspose APIs.

Please provide us a sample MS-Word document and console application project showing the usage of IResourceLoadingCallback interface so that we could execute it at our end. We will then log a feature request for it in our database so that it could be implemented in next versions. Thanks for your cooperation in this regard and have a good day.


#5

I have created a console app with Word and Excel sample. The Word sample does generate a good output because it doesn’t load external resources into the generated preview. The Excel sample generates a wrong output because it does include external resources in the generated image.

To get this sample working you have to put the files of the TestDocuments folder into c:\temp. This is important. If you choose another folder it won’t work because the Excel and Word sample documents are referring to c:\temp.

To have consistency between the Word and Excel implementation it would be nice if both implement the IResourceLoadingCallback interface. Another option could be to add a filter option to LoadDataFilterOptions. For example LoadDataFilterOptions.ExternalResources which then can be excluded with (LoadDataFilterOptions.All & ~LoadDataFilterOptions.ExternalResources). AsposeSSRFFix.zip (659.5 KB)


#6

@Fred.Net

Thanks for your sample project and sample files. We have executed your sample project and checked the behavior of IResourceLoadingCallback. We have logged your requirement in our database for product team evaluation and investigation. We will look into it and implement it if feasible or provide you a sample code to achieve your needs. Once, there is some news for you, we will update you asap.

This issue has been logged as

  • CELLSNET-45855 - Aspose.Words.Loading.IResourceLoadingCallback needed for Aspose.Cells or provide LoadDataFilterOptions.ExternalResources

#7

@Fred.Net

Please download and try the following fix and let us know your feedback.


We have added WorkbookSettings.StreamProvider property.

Please see the following code:

Workbook workbook = new Workbook(Constants.sourcePath + "CellsNet45855.xlsx");
workbook.Settings.StreamProvider = new StreamProvider();
foreach (Shape shape in workbook.Worksheets[0].Shapes)
{
	shape.ToImage(Constants.destPath + "CellsNet45855.png", null);
}

#8

Thanks for the quick response. It works great!

I don’t want to push you guys but when will this version be available in the nuget feed?
:slight_smile:


#9

@Fred.Net

Thanks for your feedback and using Aspose APIs.

It is good to know that the latest version fixes your issue. The Next Official Version 18.2 will be released around 20-Feb-2018 (after one complete month).You will be automatically notified of its release as soon as it is available for you.


#10

@Fred.Net

Thanks for using Aspose APIs.

Please download and try the following fix (new one) and let us know your feedback.


Please see the following code:

C#

Workbook workbook = new Workbook(Constants.sourcePath + "CellsNet45855.xlsx");
workbook.Settings.StreamProvider = new StreamProvider();

#11

This one works the same as the previous one. So for me both are ok!


#12

@Fred.Net

Yes, but product team recommended the newer version for you, so please use the newer version till the time we do not release official release 18.2 in February, 2018. Thanks for your understanding and have a good day.


#13

The issues you have found earlier (filed as CELLSNET-45855) have been fixed in this Aspose.Cells for .NET 18.2 update.

Please also check the following article: