Security: how to force to disable DDE execution #3101
Labels
No Label
DBF
Dates
Defined Names
Features
Formula
HTML
Images
Infrastructure
Integration
International
ODS
Operations
Performance
PivotTables
Pro
Protection
Read Bug
SSF
SYLK
Style
Write Bug
good first issue
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: sheetjs/sheetjs#3101
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
DDE is an attack that allows to run arbitrary code using excel formulas.
Brief description here: https://community.netwitness.com/t5/netwitness-community-blog/ms-excel-command-execution-without-macros/ba-p/518164
Is there a feature to mitigate it? Or should I remove all the starting "=" from my text cells?
This question has been asked in the past (#1417) and reported to HackerOne years ago (feel free to reach out at https://sheetjs.com/chat for more details)
When parsing files, SheetJS CE does not evaluate formulae. Using the example CSV
A2 will be a string cell whose formula is
cmd|' /c notepad'!A0
and whose value is=cmd|' /c notepad'!A0
.CSV exports will preserve formulae, so it is possible to generate a CSV that uses DDE. This behavior aligns with spreadsheet software including Excel.
To ensure no such formula is exported, remove all cell formulae (delete the
f
property of every cell) and convert to CSV with the optionforceQuotes: true
.