Spire.XLS is a professional Excel API that enables developers to create, manage, manipulate, convert and print Excel worksheets. Get free and professional technical support for Spire.XLS for .NET, Java, Android, C++, Python.

Thu Aug 08, 2024 3:54 pm

Context : we are using the Spire.Xls .NET library and want to prevent XML External Entity attacks when loading XLSX files with the Spire.Xls library.

As you may know an XLSX file is actually just an archive containing multiple XML files.
Each XML file poses a security threat if it contains DTD tags pointing to malicious DTD files, as they are loaded and processed.
Those attacks are called XML External Entity (XXE) attacks.

To prevent XXE attacks when loading XML, we need to disable DTD (Document Type Definition) processing.

In C#, this can be done by configuring the XmlReaderSettings or XmlDocument to disallow DTDs.
However the loading of XLSX file uses an internal XmlDocument instance that I cannot modify to disable DTD processing.

Any help would be appreciated !

Thanks

thibaud.comte
 
Posts: 4
Joined: Thu Aug 08, 2024 3:41 pm

Fri Aug 09, 2024 5:42 am

Hi,

Thank you for your message.
I'm sorry that our product currently does not provide a relevant method, but I have reported your request to the development team. They will further investigate whether your request can be fulfilled. If we manage to implement this function, we will give you feedback in a timely manner.

Sincerely,
Doris
E-iceblue support team
User avatar

Doris.Liu
 
Posts: 353
Joined: Mon Nov 07, 2022 8:10 am

Fri Aug 09, 2024 6:41 am

Thank you, we are using version 13.1.1 of Sprire.Xls for .NET.

thibaud.comte
 
Posts: 4
Joined: Thu Aug 08, 2024 3:41 pm

Mon Aug 12, 2024 1:40 am

Hi,

I'm sorry for the late reply over the weekend.
Thank you for the version information you provided, but I'm sorry that we can't modify the version that has been released. All updates and fixes for our products will only be released in new versions. Please understand.

Sincerely,
Doris
E-iceblue support team
User avatar

Doris.Liu
 
Posts: 353
Joined: Mon Nov 07, 2022 8:10 am

Mon Aug 19, 2024 11:58 am

We found a way to prevent XXE attacks in our app.
I cannot post the URL to the webpage explaining how here (the forum editor forbids it).
For those of you interested, you can search "XML External Entity Prevention Cheat Sheet" on owasp.org website.
In our case we were missing a setting in our web.config file for ASP.NET app.
Last edited by thibaud.comte on Mon Aug 19, 2024 12:00 pm, edited 1 time in total.

thibaud.comte
 
Posts: 4
Joined: Thu Aug 08, 2024 3:41 pm

Mon Aug 19, 2024 11:59 am

You can mark this post as resolved and don't bother your development team, thank you.

thibaud.comte
 
Posts: 4
Joined: Thu Aug 08, 2024 3:41 pm

Tue Aug 20, 2024 3:12 am

Hi,

Thank you very much for your feedback, and I'm glad you found a solution.
However, our development team has also adjusted the internal code to meet your needs by adding a feature to disable DTD. Once this feature has passed testing, we will release a new version and promptly notify you.

Sincerely,
Doris
E-iceblue support team
User avatar

Doris.Liu
 
Posts: 353
Joined: Mon Nov 07, 2022 8:10 am

Fri Sep 06, 2024 10:19 am

Hi,

Thanks for your patience.
Glad to inform you we just released new version of Spire.XLS, which implements the new feature of disabling DTD. Please refer to code below and download from the following link to test.

Download: https://www.e-iceblue.com/Download/down ... t-now.html

Code: Select all
 Workbook workbook = new Workbook();
   workbook.ProhibitDtd = true;
    workbook.LoadFromFile(inputFile);
   workbook.SaveToFile(outputFile, ExcelVersion.Version2013);
   workbook.Dispose();


Sincerely,
Doris
E-iceblue support team
User avatar

Doris.Liu
 
Posts: 353
Joined: Mon Nov 07, 2022 8:10 am

Return to Spire.XLS