Security Questions for Aspose.Words for .NET

Aspose.Words Product Family
1

Hi there,
we’re evaluating the Aspose.Words for .NET product to build and export a KPI dashboard into a Word document format.

From a development standpoint, this work has gone well, and the product does exactly what it claims.

Our security team has question.

  1. Does any part of the process while using Aspose.Words reach outside of our own servers, with a redirect back to an external server, such as an Aspose site?

  2. Have there been any security breaches on the latest version of the library which caused an external party to gain access to a client’s server?

  3. Does the final Word document created with Aspose.Words pass a threat vulnerability test?

  4. I ran the MS Word Document inspector (Check for Issues on the Info tab), and this reported a nice clean document with no issues. Is there anything in the Aspose.Words library that might cause an issue to be reported?

  5. Are there any other security issues that you think we should be aware of?

thanks

2

@len.wright

  1. Aspose.Words provides on-premises API and does not require connection to internet to run. During it’s normal work Aspose.Words does not interact with external resources or servers. However, Internet connection might be required if the document has external resources, such as images, which need to be downloaded. If there is no internet connection, Aspose.Words simply skips downloading such resources. Also, you can control the work with external resources using IResourceLoadingCallback .

  2. No, we are not aware about such situations. Since Aspose.Words does not execute macros in the processed document, it is not likely this is even possible.

  3. Document creation process is fully transparent and you have full control over the process. You can add macros in the final document, which will be detected as a vulnerability. But the same way you can remove such macros using Aspose.Words.

  4. Code of Aspose.Words is based on the appropriate document formats specifications. In our tests we use document validation tools to make sure the documents produced by Aspose.Words have no issues. Currently there are 60k+ tests in our codebase that tests different aspects of Aspose.Words library.

  5. We regularly check our code for vulnerabilities using Sonarqube, so we are sure there are no known vulnerability in Aspose.Words library.