Regarding DAST vulnerability #2829

New Issue

Likitha1096 · 2022-11-18T07:50:51Z

Likitha1096 commented

2022-11-18 07:50:51 +00:00

Getting "Link to Non-Existing Domain Found" when we scan with DAST for xlsx version 0.18.5.CWE: 601.Any fix recomendation or alternative package.

Thanks in Advance

Getting "Link to Non-Existing Domain Found" when we scan with DAST for xlsx version 0.18.5.CWE: 601.Any fix recomendation or alternative package. Thanks in Advance

sheetjs commented

2022-11-18 08:03:30 +00:00

Please upgrade to the latest version and test. If the issue persists, please reopen the issue. Instructions:

https://docs.sheetjs.com/docs/getting-started/installation/frameworks for angular/react/front-end sites
https://docs.sheetjs.com/docs/getting-started/installation/nodejs for NodeJS

Please upgrade to the latest version and test. If the issue persists, please reopen the issue. Instructions: - https://docs.sheetjs.com/docs/getting-started/installation/frameworks for angular/react/front-end sites - https://docs.sheetjs.com/docs/getting-started/installation/nodejs for NodeJS

sheetjs closed this issue

2022-11-18 08:03:31 +00:00

Likitha1096 commented

2022-11-18 10:36:26 +00:00

Still the issue exist.The vulnerability regarding "Link to Non-Existing Domain Found" is still there and that is related to the links which are present is xlsx.js(The same is attached as screenshot) as per DAST(Dynamic application security testing)report.

image.png

62 KiB

Likitha1096 reopened this issue

2022-11-18 10:40:52 +00:00

sheetjs commented

2022-11-18 10:58:29 +00:00

Those are XML namespaces required for valid files that use XML under the hood. This includes XLSX/XLSM, XLSB, ODS/FODS, and SpreadsheetML2003. No network requests are made to those endpoints (or at all in the library).

The ones in the screenshot pertain to document properties. They are explicitly mentioned in the specifications covering XLSX (ISO/IEC29500 and ECMA-376)

To be sure, according to the whois data, the particular domain openxmlformats.org was registered in 2005 by the Microsoft Corporation:

Domain Name: openxmlformats.org
Registry Domain ID: 0a922e3b09784fe79c62fb60ef5673f9-LROR
...
Updated Date: 2022-10-26T05:04:35Z
Creation Date: 2005-10-25T20:06:53Z
Registry Expiry Date: 2023-10-25T20:06:53Z
...
Registrant Organization: Microsoft Corporation
...
Registrant State/Province: WA
...
Registrant Country: US

It is unclear how to proceed, since the xml namespaces are more or less required for basic functionality, but it is worth trying to reach out to the support team for DAST (and feel free to reference this discussion and/or ask them to reach out to us)

Those are XML namespaces required for valid files that use XML under the hood. This includes XLSX/XLSM, XLSB, ODS/FODS, and SpreadsheetML2003. No network requests are made to those endpoints (or at all in the library). The ones in the screenshot pertain to document properties. They are explicitly mentioned in the specifications covering XLSX (`ISO/IEC29500` and `ECMA-376`) To be sure, according to the whois data, the particular domain `openxmlformats.org` was registered in 2005 by the Microsoft Corporation: ``` Domain Name: openxmlformats.org Registry Domain ID: 0a922e3b09784fe79c62fb60ef5673f9-LROR ... Updated Date: 2022-10-26T05:04:35Z Creation Date: 2005-10-25T20:06:53Z Registry Expiry Date: 2023-10-25T20:06:53Z ... Registrant Organization: Microsoft Corporation ... Registrant State/Province: WA ... Registrant Country: US ``` It is unclear how to proceed, since the xml namespaces are more or less required for basic functionality, but it is worth trying to reach out to the support team for DAST (and feel free to reference this discussion and/or ask them to reach out to us)

sheetjs commented

2022-11-30 10:24:42 +00:00

The best solution at this point would probably be an encoding of the URIs. @Likitha1096 can you provide a complete list of the strings detected by your scanner?

Sign in to join this conversation.