Need a minimal secure library file #3070
Labels
No Label
DBF
Dates
Defined Names
Features
Formula
HTML
Images
Infrastructure
Integration
International
ODS
Operations
Performance
PivotTables
Pro
Protection
Read Bug
SSF
SYLK
Style
Write Bug
good first issue
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: sheetjs/sheetjs#3070
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
I plan to use SheetJS in a secure environment. When I move my xslx.js file to a more secure environment it gets stripped as (I'm guessing) it has references to several URL's and also foreign characters in it. I can get it to work on lower networks in DoD. Need a vanilla version to work in secure environments. I have no issues moving for example office.js file or the MDB or Bootstrap .js files.
tl;dr: The library must store plaintext or encrypted URLs. It is unavoidable. If a security audit is needed, please ask relevant parties to reach out to security@sheetjs.com for more information.
Under the hood, a number of supported spreadsheet formats (including XLSX and SpreadsheetML2003) use XML.
XML namespaces are specified as URLs. For example, in the linked Wikipedia article, the traditional XHTML namespace is identified as
http://www.w3.org/1999/xhtml
For XLSX, there are a number of required namespaces. Some of the URLs for the namespaces are in
bits/31_rels.js
.The namespace for the workbook metadata is
http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument
and that string must be added to generated XLSX workbooks, which means it must exist in some capacity within the library.The "workaround" is to programmatically generate the strings. For example, the base64 representation can be stored instead of the raw content. However, the scanners may detect base64-encoded URLs. Without knowing the scanner and its ruleset, we cannot know if a particular strategy will work.
PS: On the general matter of DoD, teams within a number of defense agencies use SheetJS CE and SheetJS Pro builds as-is. It is possible that they needed to seek some sort of approval.