Regarding DAST vulnerability #2829
Labels
No Label
DBF
Dates
Defined Names
Features
Formula
HTML
Images
Infrastructure
Integration
International
ODS
Operations
Performance
PivotTables
Pro
Protection
Read Bug
SSF
SYLK
Style
Write Bug
good first issue
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: sheetjs/sheetjs#2829
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Getting "Link to Non-Existing Domain Found" when we scan with DAST for xlsx version 0.18.5.CWE: 601.Any fix recomendation or alternative package.
Thanks in Advance
Please upgrade to the latest version and test. If the issue persists, please reopen the issue. Instructions:
Still the issue exist.The vulnerability regarding "Link to Non-Existing Domain Found" is still there and that is related to the links which are present is xlsx.js(The same is attached as screenshot) as per DAST(Dynamic application security testing)report.
Those are XML namespaces required for valid files that use XML under the hood. This includes XLSX/XLSM, XLSB, ODS/FODS, and SpreadsheetML2003. No network requests are made to those endpoints (or at all in the library).
The ones in the screenshot pertain to document properties. They are explicitly mentioned in the specifications covering XLSX (
ISO/IEC29500
andECMA-376
)To be sure, according to the whois data, the particular domain
openxmlformats.org
was registered in 2005 by the Microsoft Corporation:It is unclear how to proceed, since the xml namespaces are more or less required for basic functionality, but it is worth trying to reach out to the support team for DAST (and feel free to reference this discussion and/or ask them to reach out to us)
The best solution at this point would probably be an encoding of the URIs. @Likitha1096 can you provide a complete list of the strings detected by your scanner?