Excel data import protection
Assets can be scanned by an antivirus task when being uploaded via Excel import. This task can be done by configuring an External Web Task configured to a 3rd party security service.
For more information on the Antivirus scan, please see Antivirus scan
Import and export of Excel worksheets
Assets can be imported and exported in bulk via Excel worksheets.
Bulk import of assets
Importing assets from an Excel worksheet will trigger the same flow as individual asset uploads, thus passing through the antivirus scan, if set.
Excel formula injection
A group of security professionals and penetration testers were employed to produce a report about potential security breaches by exporting Excel files. We followed their recommendations and disabled any kind of formula possibilities with Excel files. This was done by prefixing = , + , - or @ by an apostrophe so the formulae will be rendered as plain text, for example; =1+1 will be returned as =1+1 and not 2, when exporting files.
Macros
Macros are code written using Visual Basic for Applications, commonly used in Microsoft Office documents. They allow the user to automate repetitive tasks by recording specific steps and subsequently running the steps repeatedly in the created macro. However, malicious people could write VBA code to create macros that do harmful things. They could then embed these macros in Office documents. For example, macros can use the VBA SHELL command to run arbitrary commands and programs or use the VBA KILL command to delete files on your hard drive.
We implement a third party library provided by Aspose to manage Excel sheets, which blocks the execution of macros. Aspose.Cells do not support calling the VBA function. For more information on Aspose.Cells execution of Macros, please see Can Aspose Cells run Macros.
Macros are, therefore, not considered to be a threat.