Regarding DAST vulnerability #2829

Closed
opened 2022-11-18 07:50:51 +00:00 by Likitha1096 · 5 comments

Getting "Link to Non-Existing Domain Found" when we scan with DAST for xlsx version 0.18.5.CWE: 601.Any fix recomendation or alternative package.

Thanks in Advance

Getting "Link to Non-Existing Domain Found" when we scan with DAST for xlsx version 0.18.5.CWE: 601.Any fix recomendation or alternative package. Thanks in Advance
Owner

Please upgrade to the latest version and test. If the issue persists, please reopen the issue. Instructions:

Please upgrade to the latest version and test. If the issue persists, please reopen the issue. Instructions: - https://docs.sheetjs.com/docs/getting-started/installation/frameworks for angular/react/front-end sites - https://docs.sheetjs.com/docs/getting-started/installation/nodejs for NodeJS
Author

Still the issue exist.The vulnerability regarding "Link to Non-Existing Domain Found" is still there and that is related to the links which are present is xlsx.js(The same is attached as screenshot) as per DAST(Dynamic application security testing)report.

Still the issue exist.The vulnerability regarding "Link to Non-Existing Domain Found" is still there and that is related to the links which are present is xlsx.js(The same is attached as screenshot) as per DAST(Dynamic application security testing)report.
Owner

Those are XML namespaces required for valid files that use XML under the hood. This includes XLSX/XLSM, XLSB, ODS/FODS, and SpreadsheetML2003. No network requests are made to those endpoints (or at all in the library).

The ones in the screenshot pertain to document properties. They are explicitly mentioned in the specifications covering XLSX (ISO/IEC29500 and ECMA-376)

To be sure, according to the whois data, the particular domain openxmlformats.org was registered in 2005 by the Microsoft Corporation:

Domain Name: openxmlformats.org
Registry Domain ID: 0a922e3b09784fe79c62fb60ef5673f9-LROR
...
Updated Date: 2022-10-26T05:04:35Z
Creation Date: 2005-10-25T20:06:53Z
Registry Expiry Date: 2023-10-25T20:06:53Z
...
Registrant Organization: Microsoft Corporation
...
Registrant State/Province: WA
...
Registrant Country: US

It is unclear how to proceed, since the xml namespaces are more or less required for basic functionality, but it is worth trying to reach out to the support team for DAST (and feel free to reference this discussion and/or ask them to reach out to us)

Those are XML namespaces required for valid files that use XML under the hood. This includes XLSX/XLSM, XLSB, ODS/FODS, and SpreadsheetML2003. No network requests are made to those endpoints (or at all in the library). The ones in the screenshot pertain to document properties. They are explicitly mentioned in the specifications covering XLSX (`ISO/IEC29500` and `ECMA-376`) To be sure, according to the whois data, the particular domain `openxmlformats.org` was registered in 2005 by the Microsoft Corporation: ``` Domain Name: openxmlformats.org Registry Domain ID: 0a922e3b09784fe79c62fb60ef5673f9-LROR ... Updated Date: 2022-10-26T05:04:35Z Creation Date: 2005-10-25T20:06:53Z Registry Expiry Date: 2023-10-25T20:06:53Z ... Registrant Organization: Microsoft Corporation ... Registrant State/Province: WA ... Registrant Country: US ``` It is unclear how to proceed, since the xml namespaces are more or less required for basic functionality, but it is worth trying to reach out to the support team for DAST (and feel free to reference this discussion and/or ask them to reach out to us)
Owner

The best solution at this point would probably be an encoding of the URIs. @Likitha1096 can you provide a complete list of the strings detected by your scanner?

The best solution at this point would probably be an encoding of the URIs. @Likitha1096 can you provide a complete list of the strings detected by your scanner?
Owner

If you can follow up with more details, we can follow up with the relevant vendors.

If you can follow up with more details, we can follow up with the relevant vendors.
Sign in to join this conversation.
No Milestone
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sheetjs/sheetjs#2829
No description provided.