grierforensics / officedissector Goto Github PK

Hi,

In my opinion there are 2 flaws with extracting self.type, self.is_macro_enabled, self.is_template from the extension:

• when running the tool on malicious files, one usually keeps the document names as per its d5/sha1/sha256, so officedissector will just fail because of no recognized extension
• the macro-enabled extensions indicate that the file may contain macros, not that it does contain.

You can check http://www.decalage.info/files/JCV07_Lagadec_OpenDocument_OpenXML_v4_decalage.pdf for an interesting security assessment.
Marian

Thank you for the work on this project.
Just as you do for Core Properties, is it possible to add support for:

• Extended Properties
  http://schemas.openxmlformats.org/officedocument/2006/relationships/extended-properties

• Extended Properties
  http://schemas.openxmlformats.org/officedocument/2006/relationships/custom-properties

• Document Properties
  http://schemas.openxmlformats.org/officedocument/2006/relationships/officedocument

Thank you.

Hi, i got the following error:
AssertionError: content_type of Part is empty: Part [/[Content_Types].xml]

It happens on completely empty and new .docx file created with latest LibreOffice version
Thanks!

I have an XML file that I can open without any problem with LibreOffice but office dissector fails because the following parameter fails in the document:

<Default Extension="xml" ContentType="application/xml"/>

It seems the document should be considered invalid [1] but as it can be open with LibreOffice, I think office dissector should be able to handle it (the document is legitimate).

My dirty fix (?) right now is to default to self.__content_type = 'application/xml' if the parameter is missing.

[1] https://developer.marklogic.com/blog/smallchanges/2007-11-27 https://msdn.microsoft.com/en-us/library/bb879915%28v=office.12%29.aspx

Hi there - currently, officedissector is vulnerable to a specific type of denial of service using external entitites. For example, an office document containing an external entity linking to /dev/random will wait for /dev/random to return a character, causing officedissector to hang without returning an error or timing out. Some possible solutions:

• Add a timeout for xml parsing. Unfortunately, it's tough to design a timeout that works well for every use case.
• Turn off parsing external entities in lxml. This is an easy switch to flip, however, I'm not sure whether there might sometimes be a valid reason for an office document to contain external entitites.
• Avoid parsing external entities, but list them. This seems like the best solution, because it prevents the dos attack and allows the user to identify documents that might be using the attack with malicious intent. I spent some time looking through the lxml API docs and couldn't find any hints about how to implement this. It looks like some of the standard library xml parsers might offer some solutions, but perhaps at the expense of performance, or requiring significant changes to officedissector.

Any thoughts? I would be interested in helping with the patch, but wanted to get your opinion first.

I'm writing a script to process email attachments and I don't want to touch the disk so I need a way to pass a pseudo file (BytesIO).

It doesn't seems particularly difficult to implement and won't change much of the logic so I may just do a pull requests soon-ish.

http://www.officedissector.com/corpus/fraunhoferlibrary.zip

I find the json representation quite useful. Is is possible to add the Core Properties in there as well?

Also, if you fix issue #10 would be great if you could add those in the json, as well.

Thank you.