Free Support Forum - aspose.com

Restricting local file system access when opening a document


#1

Hi

I have a file that embeds an image by using a local, absolute path. If we render that file on our rendering server, we can access a file on the same path that it stored on the rendering server. Using this, an attacker could probably, with a bit of work, at least get knowledge about the file system structure or in the worst case embed files from another tenant in his own files.

Is it possible to sandbox the aspose.words.net library to avoid this? Is there some configuration parameter already available or do we have to this ourselfs?

Thanks


#2

@ppcg,

How are you embedding image inside Word document (input file)? After embedding the image, are you converting the file to PDF format for rendering? Please create a standalone simplified console application (source code without compilation errors) that performs all steps of your usecase, ZIP it along with input file, image and final generated file (that exposes the paths) and attach the ZIP file(s) here for testing. We will then investigate the scenario on our end and provide you more information.

P.S. If your ZIP file size is big then you can upload the ZIP file to Dropbox and share the Download link here for testing.


#3

@awais.hafeez

Sure, here you go:
I embed any image into a word document and save that as ‘Word - XML’. Then you go with your favorite text editor and change the path of the image to an absolute one. Like so, where the arrow is pointing:

image.png (154.2 KB)

Now you open that xml file again in word and save it as docx. The attached word document has an image embedded that’s pointing to “c:\temp\godzilla.jpg”. If you render this using the following code:

        var license = new Aspose.Words.License();
        license.SetLicense("Aspose.Words.lic");

        var inputFilePath = "godzilla.docx";
        var tempFilePath = Path.GetTempFileName() + ".pdf";

        var doc = new Aspose.Words.Document(inputFilePath);
        using (var fs = new FileStream(tempFilePath, FileMode.Create))
        {
            doc.Save(fs, SaveFormat.Pdf);
            fs.Flush();
        }

You can see that once you have an image in place on your local hard drive at the specified location, that image gets rendered in the document. If you don’t have the image in place, you just get a blank document.

We’re looking for a way to disable access to the local file system when rendering documents, be that for Words, Slides or Excel, as this poses a potential security risk if some attacker could construct a document that could embed critical files into a document (like the configuration file).

godzilla.zip (10.1 KB)


#4

@ppcg,

The following code of Aspose.Words will not load the image from local file system; instead, Aspose.Words will render a crossed-image in place of actual image in rendered PDF:

class HandleResourceLoadingCallback : IResourceLoadingCallback
{
    public ResourceLoadingAction ResourceLoading(ResourceLoadingArgs args)
    {
        return (args.ResourceType != ResourceType.Document)
            ? ResourceLoadingAction.Skip
            : ResourceLoadingAction.Default;
    }
}

LoadOptions opts = new LoadOptions();
opts.ResourceLoadingCallback = new HandleResourceLoadingCallback();
Document doc = new Document("E:\\godzilla\\godzilla.docx", opts);
doc.Save("E:\\godzilla\\19.1.pdf");

You have only attached Word document (godzilla.docx). Please also ZIP and attach .xlsx and .pptx files here for further testing. We will investigate the scenario further on our end and provide you more information from Aspose.Cells and Aspose.Slides perspectives. Thanks for your cooperation.


#5

Thanks for your reply, this seems to prevent the issue for Word.
For PowerPoint I’m still working on an example, it seems that simple external targets are not loaded.

For Excel, please use the attached file.
Book1.zip (6.9 KB)


#6

@ppcg,

Thanks for the template MS Excel file.

See the document on how you can control loading of resources in MS Excel Workbook while rendering to PDF for your reference. You may write your own code using the relevant Aspose.Cells APIs to accomplish your task:
https://docs.aspose.com/display/cellsnet/Control+loading+of+External+Resources+in+MS+Excel+Workbook+while+rendering+to+PDF

Hope, this helps a bit.


#7

Thanks. Is there a default implementation of the IStreamProvider interface that can be extended?

Also is there something similar for Aspose.Slides? It seems that external targets are not loaded, but I’m not sure if that’s a bug or a feature.


#8

@ppcg,

I am afraid, there is no public default implementation now. Moreover, PdfSaveOptions.StreamProvider is Obsoleted now. Kindly Use WorkbookSettings.StreamProvider property instead. See the sample code below which implements StreamProvider to skip picture(s) that is/are linked to file for your reference:
e.g
Sample code:

 class SkippingPicLinkToFileProvider : IStreamProvider
{
public void CloseStream(StreamProviderOptions options)
{

}

public void InitStream(StreamProviderOptions options)
{
options.ResourceLoadingType = ResourceLoadingType.Skip;
}
}

...........

Workbook wb = new Workbook(@"D:\Download\bugs\tempBug\Book1.xlsx");
wb.Settings.StreamProvider = new SkippingPicLinkToFileProvider();

wb.Save(TMP_DIR + "test_Cs.pdf"); 
.......

We will update you on it soon.


#9

I have observed your requirements and regret to inform that this is not supported yet. A ticket with ID SLIDESNET-40799 has been created as in our issue tracking system as a new feature request. We will look into the possibility of implementation of the requested feature. This thread has been associated with this new feature request, so that you can be automatically notified as soon as this issue is resolved.