Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document conversion and SSRF vulnerability #293

Open
ARnikev opened this issue Apr 1, 2022 · 1 comment
Open

Document conversion and SSRF vulnerability #293

ARnikev opened this issue Apr 1, 2022 · 1 comment
Assignees
@sbraconnier
Labels
question waiting-for-feedback We need additional information before we can continue

Comments

@ARnikev
Copy link

ARnikev commented Apr 1, 2022

Hey there!
First of all thanks for your work, great library :).

I'm using your library as a facade to LibreOffice to convert documents from one format to another (mostly any format -> pdf).
Another day I discovered an issue which is not related to your library, rather to LibreOffice, but I was wondering if it can be fixed some how by passing particular parameters during a document conversion usign jodconverter.

So the issue is that e.g. when I create a .docx/.odt document which contains html tags with links to external or internal files (file on a local server) they are being resolved during the document conversion and therefore make this process vulnerable to SSRF attacks if such a functionality is exposed through a public API.

So I had 3 variants in mind how to fix this:

  1. Providing LoadConverter loadProperties:
final Map<String, Object> loadProperties = new HashMap<>();
loadProperties.put("Hidden", true);
loadProperties.put("ReadOnly", true);
loadProperties.put("UpdateDocMode", UpdateDocMode.NO_UPDATE);

But it doesn't help.

  1. Forbid html tags rendering during the document conversion by providing some additional configuration properties to the converter. And here I would like to consult with you, maybe you know if such a configuration exist at all since I couldn't find one.

  2. Do some sanitisation of the source document by removing/fixing all links to at least local files ("file:///") by using TextReplacerFilter. But it doesn't work because apparently LibreOffice renders html content during the document loading and doesn't allow to search in the html source of the document. I found that there is a view -> HTML source option in LibreOffice, but I have no idea how to enable this view mode through jodconverter facade.
    By any chance, do you know if it's possible or not? If you don't mind, could you please share how you figure out which options in the LibreOffice/OpenOffice interface can be provided through jodconverter facade and how to do that?

I would be grateful for any input regarding this matter, thanks!
@sbraconnier
Copy link
Member

Very sorry for the late anwser.

Could you tell me if your issue is related to this:
https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/

I'm not sure why the UpdateDocMode.NO_UPDATE does not work.

Do you know if there is a LibreOffice option you can set to fix this problem (Menu Tools->Options)? If yes, maybe you could use the templateProfileDir option.

@sbraconnier sbraconnier self-assigned this Sep 15, 2022
@sbraconnier sbraconnier added question waiting-for-feedback We need additional information before we can continue labels Sep 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sbraconnier sbraconnier

Labels
question waiting-for-feedback We need additional information before we can continue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ARnikev @sbraconnier