vuln(NSWG-ECO-464): exceljs#395
Conversation
|
@lirantal I'm wondering what is the reason for marking this as an issue with exceljs. But in the end it is the responsibility of whoever getting a user input to sanitize and validate it with regard to how it's being used and excel file or JSON I can't really see the difference. In the same respect exceljs has a sql injection vulnerability - sqlConnection.query(`SELECT * FROM user WHERE user_id=${workbook.getCell('A1').value}`);nosql vulnerability User.find(JSON.parse(workbook.getCell('A1').value))And probably a few dozen other vulnerabilities in code that is careless about inputs. |
|
@yonjah true that it isn't an inherent issue with the library itself and I couldn't agree more about context being key as with so many other vulnerabilities handling related to user input. To this end, we indeed resolved the issue without requiring any fix to .value() or how it returns data, but instead added a helper method to draw security concern of users to that. |
No description provided.