Security: how to force to disable DDE execution #3101

New Issue

alphonse92 · 2024-04-02T16:47:13Z

alphonse92 commented

2024-04-02 16:47:13 +00:00

DDE is an attack that allows to run arbitrary code using excel formulas.

Brief description here: https://community.netwitness.com/t5/netwitness-community-blog/ms-excel-command-execution-without-macros/ba-p/518164

Is there a feature to mitigate it? Or should I remove all the starting "=" from my text cells?

DDE is an attack that allows to run arbitrary code using excel formulas. Brief description here: https://community.netwitness.com/t5/netwitness-community-blog/ms-excel-command-execution-without-macros/ba-p/518164 Is there a feature to mitigate it? Or should I remove all the starting "=" from my text cells?

sheetjs commented

2024-04-02 17:25:33 +00:00

This question has been asked in the past (#1417) and reported to HackerOne years ago (feel free to reach out at https://sheetjs.com/chat for more details)

When parsing files, SheetJS CE does not evaluate formulae. Using the example CSV

Cell A2,has a,formula
=cmd|' /c notepad'!A0
Cell A2,has a,formula

A2 will be a string cell whose formula is cmd|' /c notepad'!A0 and whose value is =cmd|' /c notepad'!A0.

CSV exports will preserve formulae, so it is possible to generate a CSV that uses DDE. This behavior aligns with spreadsheet software including Excel.

To ensure no such formula is exported, remove all cell formulae (delete the f property of every cell) and convert to CSV with the option forceQuotes: true.

This question has been asked in the past (https://git.sheetjs.com/sheetjs/sheetjs/issues/1417) and reported to HackerOne years ago (feel free to reach out at https://sheetjs.com/chat for more details) --- When parsing files, SheetJS CE does not evaluate formulae. Using the example CSV ``` Cell A2,has a,formula =cmd|' /c notepad'!A0 Cell A2,has a,formula ``` A2 will be a string cell whose formula is `cmd|' /c notepad'!A0` and whose value is `=cmd|' /c notepad'!A0`. --- CSV exports will preserve formulae, so it is possible to generate a CSV that uses DDE. This behavior aligns with spreadsheet software including Excel. To ensure no such formula is exported, remove all cell formulae (delete the `f` property of every cell) and convert to CSV with the option [`forceQuotes: true`](https://docs.sheetjs.com/docs/api/utilities/csv#delimiter-separated-output).

sheetjs closed this issue

2024-04-02 17:25:34 +00:00

Sign in to join this conversation.