We plan to use Aspose Cells for Java (AC4J) in our SaaS.
Our SaaS will have a functionality that any excel files which customer uploaded converts to pdf using AC4J.
Is there any chance for attacker to upload any malicious excel file to enforce AC4J to perform unexpected or harmful work for our server ?
For examples:
- run server binary (ex. ‘rm -rf /’)
- steal server information (ex. embed fake external book reference like ‘file:///etc/passwd!A1’ into cell)
- perform any network connection (ex. using excel’s standard function ‘WEBSERVICE’ or embed external book reference like
'http://example.com/fakebook.xlsx!A1')
- run secret instructions or debugging functionalities of AC4J to do any privileged work (if exists)
@takahashikzn,
Thanks for your query.
Well, for a professional library like Aspose.Cells, how come it will execute those harmful functions/add-ins or macros and fetch sensitive information from server to the end users. This is totally out of scope for Aspose.Cells as it is MS Excel management library rather a hacking module.
Generally, we think there are only a few ways for a hacker to steal some data out of the workbook. One is via pictures with external link (linked image) which may cause the image data fetched from other resources, such as local file system or web resources, etc. For this situation, you may use/implement StreamProvider to filter the external links and prevent the data fetching process accordingly.
Another situation is via some specific formulas, such as “=CELL("filename")”, when calculating such kind of formulas, some local information can be fetched, such as the file’s location on the server. For such kind of issue, you may use AbstractCalculationEngine API to prevent the default behavior of the Aspose.Cells formula calculation engine.
For macros/Vba modules in Excel spreadsheets, well, Aspose.Cells does not support to execute them, so you don’t need to worry about it.
Hope, this helps a bit.
1 Like