Regarding DAST vulnerability #2829
Getting "Link to Non-Existing Domain Found" when we scan with DAST for xlsx version 0.18.5.CWE: 601.Any fix recomendation or alternative package.
Thanks in Advance
Please upgrade to the latest version and test. If the issue persists, please reopen the issue. Instructions:
- https://docs.sheetjs.com/docs/getting-started/installation/frameworks for angular/react/front-end sites
- https://docs.sheetjs.com/docs/getting-started/installation/nodejs for NodeJS
Still the issue exist.The vulnerability regarding "Link to Non-Existing Domain Found" is still there and that is related to the links which are present is xlsx.js(The same is attached as screenshot) as per DAST(Dynamic application security testing)report.
Those are XML namespaces required for valid files that use XML under the hood. This includes XLSX/XLSM, XLSB, ODS/FODS, and SpreadsheetML2003. No network requests are made to those endpoints (or at all in the library).
The ones in the screenshot pertain to document properties. They are explicitly mentioned in the specifications covering XLSX (
To be sure, according to the whois data, the particular domain
openxmlformats.org was registered in 2005 by the Microsoft Corporation:
Domain Name: openxmlformats.org Registry Domain ID: 0a922e3b09784fe79c62fb60ef5673f9-LROR ... Updated Date: 2022-10-26T05:04:35Z Creation Date: 2005-10-25T20:06:53Z Registry Expiry Date: 2023-10-25T20:06:53Z ... Registrant Organization: Microsoft Corporation ... Registrant State/Province: WA ... Registrant Country: US
It is unclear how to proceed, since the xml namespaces are more or less required for basic functionality, but it is worth trying to reach out to the support team for DAST (and feel free to reference this discussion and/or ask them to reach out to us)
The best solution at this point would probably be an encoding of the URIs. @Likitha1096 can you provide a complete list of the strings detected by your scanner?
No due date set.
No dependencies set.
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?