Regarding DAST vulnerability #2829

Open
opened 3 weeks ago by Likitha1096 · 4 comments

Getting "Link to Non-Existing Domain Found" when we scan with DAST for xlsx version 0.18.5.CWE: 601.Any fix recomendation or alternative package.

Thanks in Advance

Getting "Link to Non-Existing Domain Found" when we scan with DAST for xlsx version 0.18.5.CWE: 601.Any fix recomendation or alternative package. Thanks in Advance
Owner

Please upgrade to the latest version and test. If the issue persists, please reopen the issue. Instructions:

Please upgrade to the latest version and test. If the issue persists, please reopen the issue. Instructions: - https://docs.sheetjs.com/docs/getting-started/installation/frameworks for angular/react/front-end sites - https://docs.sheetjs.com/docs/getting-started/installation/nodejs for NodeJS
sheetjs closed this issue 3 weeks ago
Poster

Still the issue exist.The vulnerability regarding "Link to Non-Existing Domain Found" is still there and that is related to the links which are present is xlsx.js(The same is attached as screenshot) as per DAST(Dynamic application security testing)report.

Still the issue exist.The vulnerability regarding "Link to Non-Existing Domain Found" is still there and that is related to the links which are present is xlsx.js(The same is attached as screenshot) as per DAST(Dynamic application security testing)report.
Likitha1096 reopened this issue 3 weeks ago
Owner

Those are XML namespaces required for valid files that use XML under the hood. This includes XLSX/XLSM, XLSB, ODS/FODS, and SpreadsheetML2003. No network requests are made to those endpoints (or at all in the library).

The ones in the screenshot pertain to document properties. They are explicitly mentioned in the specifications covering XLSX (ISO/IEC29500 and ECMA-376)

To be sure, according to the whois data, the particular domain openxmlformats.org was registered in 2005 by the Microsoft Corporation:

Domain Name: openxmlformats.org
Registry Domain ID: 0a922e3b09784fe79c62fb60ef5673f9-LROR
...
Updated Date: 2022-10-26T05:04:35Z
Creation Date: 2005-10-25T20:06:53Z
Registry Expiry Date: 2023-10-25T20:06:53Z
...
Registrant Organization: Microsoft Corporation
...
Registrant State/Province: WA
...
Registrant Country: US

It is unclear how to proceed, since the xml namespaces are more or less required for basic functionality, but it is worth trying to reach out to the support team for DAST (and feel free to reference this discussion and/or ask them to reach out to us)

Those are XML namespaces required for valid files that use XML under the hood. This includes XLSX/XLSM, XLSB, ODS/FODS, and SpreadsheetML2003. No network requests are made to those endpoints (or at all in the library). The ones in the screenshot pertain to document properties. They are explicitly mentioned in the specifications covering XLSX (`ISO/IEC29500` and `ECMA-376`) To be sure, according to the whois data, the particular domain `openxmlformats.org` was registered in 2005 by the Microsoft Corporation: ``` Domain Name: openxmlformats.org Registry Domain ID: 0a922e3b09784fe79c62fb60ef5673f9-LROR ... Updated Date: 2022-10-26T05:04:35Z Creation Date: 2005-10-25T20:06:53Z Registry Expiry Date: 2023-10-25T20:06:53Z ... Registrant Organization: Microsoft Corporation ... Registrant State/Province: WA ... Registrant Country: US ``` It is unclear how to proceed, since the xml namespaces are more or less required for basic functionality, but it is worth trying to reach out to the support team for DAST (and feel free to reference this discussion and/or ask them to reach out to us)
Owner

The best solution at this point would probably be an encoding of the URIs. @Likitha1096 can you provide a complete list of the strings detected by your scanner?

The best solution at this point would probably be an encoding of the URIs. @Likitha1096 can you provide a complete list of the strings detected by your scanner?
Sign in to join this conversation.
No Milestone
No project
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

No dependencies set.

Reference: sheetjs/sheetjs#2829
Loading…
There is no content yet.