we started to evaluate your products, esp. Cells and Words (java) and I would like to
put a question to you in this context.

We would like to generate pdf output based on excel or word templates. These templates should
most suitably be configured or replaced by administration people of our customers.
So we have security and vulnerability issues with active content like macros, file access, program calls, communication features and so on.

Does the Aspose suite ensure secure pdf generation?
Do you have features to scan office files for insecure content?
Do you have any FAQs or documentation sites on this topic?

Thanks in advance, Wolfgang

@wlindner

Please note that Aspose APIs do not use any vulnerability. Aspose APIs generate secure PDF and can insecure content of documents. Unfortunately, there is no documentation on vulnerability.

Aspose APIs do not execute or call macros while processing documents. Please share some more detail about this query along with sample document and expected output. We will then provide you more information on it.

Example from
http://georgemauer.net/2017/10/07/csv-injection.html

calc.7z (8.7 KB)

Starts the calculator application on windows if you open the file with excel and DDE-Server-start is enabled in trust center.

@wlindner,

Thanks for the Excel file.

If MS Excel can open the file, Aspose API will also load/read it. Aspose APIs are file format APIs which target the underlying data (e.g., source XML in the file). But, Aspose APIs won’t load data dynamically from external sources or links. Also, the APIs do not execute macros or other scripts in the files when loading into its object model.

So if I understood you correctly, no evaluation is done when you load the sheets or office file.
But if we change cell data, the resulting cells have to be reevaluated.
I.e. the method Workbook.calculateFormula() has to be called.
What is done with a critical formula like “=2+5+cmd|’ /C calc’!A0” in this case?

Do we have to configure some CalculationOptions to prevent aspose from evaluating critical formulae? Or does aspose implement only a secure part of the calculation language?

2. Does your products include any security certificates or Penetration test results?

@wlindner,

Aspose.Cells does not support to calculate formulas which involve external reference to programs (calls), external files or execute external scripts in the formulas, so the formula “=2+5+cmd|’ /C calc’!A0” won’t be calculated. Also, similar critical formulas won’t be calculated as well.

Moreover, see the document on supported formulas/functions list by Aspose.Cells formula calculation engine for your reference.

Hi Amjad,

thank you for the reference to supported functions. It seems to me that you support most
of the excel functions, but some are missing, like ACOT/ACOTH, cf.

Is your documentation incomplete or out of date? Or can I request a definite list of supported symbols form the aspose api?

Wolfgang

@wlindner,

Yes, some built-in MS Excel formulas/functions might be missing as Aspose.Cells may not support to calculate all the MS Excel formulas.

Sure, you may ask for your desired formulas to be supported. Please give us details on which formulas/functions you need to be supported by Aspose.Cells formula calculation engine. We will log appropriate tickets into our database and will try to support those functions soon.

that sounds ok for us, thx.

Another finding:

Here is some “reverse” case. You have the symbol “USDOLLAR” on your list.
I cannot find any documentation on that in excel or online.

@wlindner,

Here is the reference document link:

Is it possible to implement some whitelist for allowed cell calculation functions?
For example with some AbstractCalculationEngine with
getProcessBuiltInFunctions = true

How can I call the buildIn-Implementation from public abstract void calculate(CalculationData var1);?

@wlindner,

See the document with example code on how to implement custom calculation engine to extend the default calculations for your reference.

@wlindner,
Additional information for your requirement:
To call built-in implementation of calculation and get the calculated result, you may use the getter of CalculationData.CalculatedValue(https://reference.aspose.com/cells/net/aspose.cells/calculationdata/properties/calculatedvalue) before setting your custom result by the setter.

ok, thx.

just two other questions:

1. with workbook.dataConnections, serveral data connections e.g. to databases can be modified.
   But aspose does not support the usage of these connections, am I right?
   I.e. aspose would never try to connect to some configured database? Is there documentation on that? I only found forum posts.

2. unfortunately the java (idea-decompile) code of aspose is heavyly obfuscated and comes without java doc. Is there a way to include documentation in idea? And the obfuscation is not due to the missing license I suspect?

Wolfgang

@wlindner,

1. Your understanding is correct. Aspose.Cells can give you external data connection details or you can manipulate meta data. The APIs do not provide any means to connect to external data source or database to get/extract or manipulate external data.

2. Could you please elaborate on it and provide details about the issue you are facing in the editor, we will check it soon.

Your sources look like image.png (22.9 KB)
in intellij idea. So you deliver your products without (readable) source code? Lets say, we don’t need it, but sometimes source code helps to understand, what methods do.
More important would be the doc-integration in intellij idea. As you can see in image.png (5.3 KB)
there is no installed documentation. Is there a way to install it?

sorry for the second part, we should read the manual, javadoc found.

@wlindner,

It looks like you have sorted it out now. Feel free to write us back if you have further queries or comments.

the open question was: “You deliver your products without source code?”

@wlindner,

Please note, Aspose products are not Open Source, as well as we do not include the source code to the products when you purchase. Generally, Aspose libraries/APIs are obfuscated by design to preserve intellectual property rights.