Summary
The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users to upload their own Excel (XLSX) sheets, Server files and sensitive information can be disclosed by providing a crafted sheet.

How to fix :
Update the phpoffice/phpspreadsheet to 2.3.0 or later, i have update the package to latest version 3.3.0

CommentFileSizeAuthor
#4 3479278_update_phpoffice_phpspreadsheet.patch2.27 KByanalshoubaki

Issue fork webform_xlsx_export-3479278

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

yanalshoubaki created an issue. See original summary.

yanalshoubaki’s picture

yanalshoubaki commented
Issue summary: View changes

yanalshoubaki changed the visibility of the branch 3479278-xxe-in-phpspreadsheets to hidden.

yanalshoubaki’s picture

yanalshoubaki commented
StatusFileSize
new 3479278_update_phpoffice_phpspreadsheet.patch2.27 KB
prudloff’s picture

prudloff commented
Related issues: +#3479305: Stop versioning composer.lock, +#3479307: Support phpspreadsheet 3

I suppose you are talking about this vulnerability: https://github.com/advisories/GHSA-6hwr-6v2f-3m88
Websites using webform_xlsx_export should already be able to update to phpspreadsheet 2.3.
Furthermore, the module only writes spreadsheets and the vulnerability seems to only apply to reading them.

However, I agree it would be good practice to require a secure version of phpspreadsheet. I just think we should commit #3479305: Stop versioning composer.lock first.
Upgrading to phpspreadsheet 3 might cause breaking changes and would require some testing, so I think this issue should focus on upgrading to 2.3 and I opened another issue about phpspreadsheet 3: #3479307: Support phpspreadsheet 3

jesss’s picture

jesss commented

My export breaks when upgrading to PHPSpreadsheet 2.3.2 but continues to work on version 2.3.0 (the insecure one).

This only appears to happen with larger exports -- this one in particular has 1200+ submissions. The export starts as expected, but mid-batch it crashes with the following error.

PhpOffice\PhpSpreadsheet\Reader\Exception: File "/tmp/classical_countdown_2024.xlsx" does not exist. in PhpOffice\PhpSpreadsheet\Shared\File::assertFile() (line 147 of /code/vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Shared/File.php).

When I downgraded to 2.3.0, the export completed without errors. (Currently on Webform XSLX Export 1.4 with the patch from #3471813: Typed property must not be accessed before initialization applied.)

prudloff’s picture

prudloff commented

@jess thank you for reporting this but I think it would be better handled in a separate issue.
If you are able to provide a full stack trace for the error, it would be easier to see what happens exactly.

  • prudloff committed b3fc4d24 on 8.x-1.x 
    Issue #3479278 by yanalshoubaki: XXE in PHPSpreadsheet's XLSX reader
prudloff’s picture

prudloff commented
Status: Active » Fixed

webform_xlsx_export will now prevent users from using 2.2 (because no 2.2 release is secure).

Note however that it is the responsibility of devs using this module to use secure versions of dependencies.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.