What is the best practice for allowing users to upload excel document?

Question

I currently have a website (ASP.NET 3.5, IIS 7.0) that allows users to upload excel files for processing, should i be concerned with viruses and malicious code being executed when the document is opened.

We are currently using the .net office interop assemblies to fetch the information from the document, the information isn't exactly tabular and requires a little bit of interrogation to get it into the required format.

Once the document has been uploaded it will be stored in the database, only when the document is inspected is it written to disk.

Are there any recommendations that would provide a secure implementation?

Answer 1

Sanitizing is the only way to be sure. Since it's not simply form input, you want to take extra precautions. The simplest method I can imagine is to nuke any binary-indicators, like control-characters.

As far as best practices, you can't really tell your users "Please don't hack me", so you have to have a certain level of trust (or give up on Excel files)... I would say if the first pass picks up any binary flags, incinerate it and throw a fairly obtuse error like "error in file format", etc.

But of course, your users will murder you they ever get that error for a good file.

Answer 2

Using the xlsx (Open XML) file format will be safer than using xls or xlsm since xlsx workbooks cannot contain macros.

You might consider using a pure .NET component which does not use COM Interop or any native calls and does not require FullTrust. SpreadsheetGear for .NET is an example of such a component.

Disclaimer: I own SpreadsheetGear LLC