Context : we are using the Spire.Xls .NET library and want to prevent XML External Entity attacks when loading XLSX files with the Spire.Xls library.
As you may know an XLSX file is actually just an archive containing multiple XML files.
Each XML file poses a security threat if it contains DTD tags pointing to malicious DTD files, as they are loaded and processed.
Those attacks are called XML External Entity (XXE) attacks.
To prevent XXE attacks when loading XML, we need to disable DTD (Document Type Definition) processing.
In C#, this can be done by configuring the XmlReaderSettings or XmlDocument to disallow DTDs.
However the loading of XLSX file uses an internal XmlDocument instance that I cannot modify to disable DTD processing.
Any help would be appreciated !
Thanks
Hi,
Thank you for your message.
I'm sorry that our product currently does not provide a relevant method, but I have reported your request to the development team. They will further investigate whether your request can be fulfilled. If we manage to implement this function, we will give you feedback in a timely manner.
Sincerely,
Doris
E-iceblue support team
Thank you for your message.
I'm sorry that our product currently does not provide a relevant method, but I have reported your request to the development team. They will further investigate whether your request can be fulfilled. If we manage to implement this function, we will give you feedback in a timely manner.
Sincerely,
Doris
E-iceblue support team
-
Doris.Liu - Posts: 353
- Joined: Mon Nov 07, 2022 8:10 am
Thank you, we are using version 13.1.1 of Sprire.Xls for .NET.
-
thibaud.comte - Posts: 4
- Joined: Thu Aug 08, 2024 3:41 pm
Hi,
I'm sorry for the late reply over the weekend.
Thank you for the version information you provided, but I'm sorry that we can't modify the version that has been released. All updates and fixes for our products will only be released in new versions. Please understand.
Sincerely,
Doris
E-iceblue support team
I'm sorry for the late reply over the weekend.
Thank you for the version information you provided, but I'm sorry that we can't modify the version that has been released. All updates and fixes for our products will only be released in new versions. Please understand.
Sincerely,
Doris
E-iceblue support team
-
Doris.Liu - Posts: 353
- Joined: Mon Nov 07, 2022 8:10 am
We found a way to prevent XXE attacks in our app.
I cannot post the URL to the webpage explaining how here (the forum editor forbids it).
For those of you interested, you can search "XML External Entity Prevention Cheat Sheet" on owasp.org website.
In our case we were missing a setting in our web.config file for ASP.NET app.
I cannot post the URL to the webpage explaining how here (the forum editor forbids it).
For those of you interested, you can search "XML External Entity Prevention Cheat Sheet" on owasp.org website.
In our case we were missing a setting in our web.config file for ASP.NET app.
Last edited by thibaud.comte on Mon Aug 19, 2024 12:00 pm, edited 1 time in total.
-
thibaud.comte - Posts: 4
- Joined: Thu Aug 08, 2024 3:41 pm
You can mark this post as resolved and don't bother your development team, thank you.
-
thibaud.comte - Posts: 4
- Joined: Thu Aug 08, 2024 3:41 pm
Hi,
Thank you very much for your feedback, and I'm glad you found a solution.
However, our development team has also adjusted the internal code to meet your needs by adding a feature to disable DTD. Once this feature has passed testing, we will release a new version and promptly notify you.
Sincerely,
Doris
E-iceblue support team
Thank you very much for your feedback, and I'm glad you found a solution.
However, our development team has also adjusted the internal code to meet your needs by adding a feature to disable DTD. Once this feature has passed testing, we will release a new version and promptly notify you.
Sincerely,
Doris
E-iceblue support team
-
Doris.Liu - Posts: 353
- Joined: Mon Nov 07, 2022 8:10 am
Hi,
Thanks for your patience.
Glad to inform you we just released new version of Spire.XLS, which implements the new feature of disabling DTD. Please refer to code below and download from the following link to test.
Download: https://www.e-iceblue.com/Download/down ... t-now.html
Sincerely,
Doris
E-iceblue support team
Thanks for your patience.
Glad to inform you we just released new version of Spire.XLS, which implements the new feature of disabling DTD. Please refer to code below and download from the following link to test.
Download: https://www.e-iceblue.com/Download/down ... t-now.html
- Code: Select all
Workbook workbook = new Workbook();
workbook.ProhibitDtd = true;
workbook.LoadFromFile(inputFile);
workbook.SaveToFile(outputFile, ExcelVersion.Version2013);
workbook.Dispose();
Sincerely,
Doris
E-iceblue support team
-
Doris.Liu - Posts: 353
- Joined: Mon Nov 07, 2022 8:10 am
Page 1 of 1