From ec5d68be847d453468c3d085275716ec3824bc57 Mon Sep 17 00:00:00 2001 From: Jhoanor Date: Tue, 24 Mar 2020 12:29:49 +0100 Subject: [PATCH 1/6] Update OOXMLBleach.java Open docs without error after bleaching other than OLE_OBJECTs --- .../main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/module/module-office/src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java b/module/module-office/src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java index 4c0b0602..7471898c 100644 --- a/module/module-office/src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java +++ b/module/module-office/src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java @@ -351,10 +351,11 @@ private void sanitize( */ private void replaceRelationship(RelationshipSource pkg, PackageRelationship relationship) { String rId = relationship.getId(); - + String rRT = relationship.getRelationshipType(); pkg.removeRelationship(rId); pkg.addRelationship( - DUMMY_PACKAGE_PART_NAME, TargetMode.INTERNAL, Relations.OPENXML_OLE_OBJECT, rId); + //DUMMY_PACKAGE_PART_NAME, TargetMode.INTERNAL, Relations.OPENXML_OLE_OBJECT, rId); + DUMMY_PACKAGE_PART_NAME, TargetMode.INTERNAL, rRT, rId); } private boolean isBlacklistedRelationType(String relationshipType) { From f132648f562f1d534d2ca3cdf6532f7e04d4e39c Mon Sep 17 00:00:00 2001 From: Jhoanor Date: Tue, 24 Mar 2020 18:46:20 +0100 Subject: [PATCH 2/6] Update OOXMLBleach.java prevent errors when opening office files due to other vulnerabilities than oleObjects or due to external targets. --- .../java/xyz/docbleach/module/ooxml/OOXMLBleach.java | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/module/module-office/src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java b/module/module-office/src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java index 7471898c..9b26c218 100644 --- a/module/module-office/src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java +++ b/module/module-office/src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java @@ -49,6 +49,7 @@ public class OOXMLBleach implements Bleach { private static final String DUMMY_FILE_CONTENT = "BLEACHED"; private static final PackagePartName DUMMY_PACKAGE_PART_NAME = createPartName(DUMMY_FILE_PART_NAME); + private static final String DUMMY_WEB_ADDRESS = "https://127.0.0.1/"; private static final String[] WHITELISTED_RELATIONS = new String[]{ @@ -353,9 +354,12 @@ private void replaceRelationship(RelationshipSource pkg, PackageRelationship rel String rId = relationship.getId(); String rRT = relationship.getRelationshipType(); pkg.removeRelationship(rId); - pkg.addRelationship( - //DUMMY_PACKAGE_PART_NAME, TargetMode.INTERNAL, Relations.OPENXML_OLE_OBJECT, rId); - DUMMY_PACKAGE_PART_NAME, TargetMode.INTERNAL, rRT, rId); + //pkg.addRelationship(DUMMY_PACKAGE_PART_NAME, TargetMode.INTERNAL, Relations.OPENXML_OLE_OBJECT, rId); + if (relationship.getTargetMode() !=null){ + pkg.addExternalRelationship(DUMMY_WEB_ADDRESS, rRT, rId); + } else { + pkg.addRelationship(DUMMY_PACKAGE_PART_NAME, TargetMode.INTERNAL, rRT, rId); + } } private boolean isBlacklistedRelationType(String relationshipType) { From dcc80fa95674be56448a3807f704b009881fb69b Mon Sep 17 00:00:00 2001 From: Jhoanor Date: Tue, 24 Mar 2020 18:52:29 +0100 Subject: [PATCH 3/6] Update OOXMLBleach.java prevent errors when opening office files due to other vulnerabilities than oleObjects or due to external targets. --- .../src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java | 1 - 1 file changed, 1 deletion(-) diff --git a/module/module-office/src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java b/module/module-office/src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java index 9b26c218..a4f0c6cf 100644 --- a/module/module-office/src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java +++ b/module/module-office/src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java @@ -354,7 +354,6 @@ private void replaceRelationship(RelationshipSource pkg, PackageRelationship rel String rId = relationship.getId(); String rRT = relationship.getRelationshipType(); pkg.removeRelationship(rId); - //pkg.addRelationship(DUMMY_PACKAGE_PART_NAME, TargetMode.INTERNAL, Relations.OPENXML_OLE_OBJECT, rId); if (relationship.getTargetMode() !=null){ pkg.addExternalRelationship(DUMMY_WEB_ADDRESS, rRT, rId); } else { From 34a661dafe9b610fcce0bc03e669eab86a1ed49c Mon Sep 17 00:00:00 2001 From: Jhoanor Date: Tue, 24 Mar 2020 18:55:42 +0100 Subject: [PATCH 4/6] Update OOXMLBleach.java prevent errors when opening office files due to other vulnerabilities than oleObjects or due to external targets. --- .../src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/module/module-office/src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java b/module/module-office/src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java index a4f0c6cf..df498863 100644 --- a/module/module-office/src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java +++ b/module/module-office/src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java @@ -354,8 +354,8 @@ private void replaceRelationship(RelationshipSource pkg, PackageRelationship rel String rId = relationship.getId(); String rRT = relationship.getRelationshipType(); pkg.removeRelationship(rId); - if (relationship.getTargetMode() !=null){ - pkg.addExternalRelationship(DUMMY_WEB_ADDRESS, rRT, rId); + if (relationship.getTargetMode() != null){ + pkg.addExternalRelationship(DUMMY_WEB_ADDRESS, rRT, rId); } else { pkg.addRelationship(DUMMY_PACKAGE_PART_NAME, TargetMode.INTERNAL, rRT, rId); } From 080b8d0d8b8a1eb0fa4b4e8f62f02b35b4db8f05 Mon Sep 17 00:00:00 2001 From: Jhoanor Date: Tue, 24 Mar 2020 19:06:48 +0100 Subject: [PATCH 5/6] Update OOXMLBleach.java prevent errors when opening office files due to other vulnerabilities than oleObjects or due to external targets. --- .../src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/module/module-office/src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java b/module/module-office/src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java index df498863..63c1eab7 100644 --- a/module/module-office/src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java +++ b/module/module-office/src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java @@ -354,7 +354,7 @@ private void replaceRelationship(RelationshipSource pkg, PackageRelationship rel String rId = relationship.getId(); String rRT = relationship.getRelationshipType(); pkg.removeRelationship(rId); - if (relationship.getTargetMode() != null){ + if (relationship.getTargetMode() == TargetMode.EXTERNAL){ pkg.addExternalRelationship(DUMMY_WEB_ADDRESS, rRT, rId); } else { pkg.addRelationship(DUMMY_PACKAGE_PART_NAME, TargetMode.INTERNAL, rRT, rId); From 9e350b4104091859849045a2dab15ab5601e7609 Mon Sep 17 00:00:00 2001 From: Jhoanor Date: Wed, 8 Apr 2020 13:45:02 +0200 Subject: [PATCH 6/6] Update OOXMLBleach.java --- .../java/xyz/docbleach/module/ooxml/OOXMLBleach.java | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/module/module-office/src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java b/module/module-office/src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java index 63c1eab7..593bcbb4 100644 --- a/module/module-office/src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java +++ b/module/module-office/src/main/java/xyz/docbleach/module/ooxml/OOXMLBleach.java @@ -354,11 +354,11 @@ private void replaceRelationship(RelationshipSource pkg, PackageRelationship rel String rId = relationship.getId(); String rRT = relationship.getRelationshipType(); pkg.removeRelationship(rId); - if (relationship.getTargetMode() == TargetMode.EXTERNAL){ - pkg.addExternalRelationship(DUMMY_WEB_ADDRESS, rRT, rId); - } else { - pkg.addRelationship(DUMMY_PACKAGE_PART_NAME, TargetMode.INTERNAL, rRT, rId); - } + if (relationship.getTargetMode() == TargetMode.EXTERNAL){ + pkg.addExternalRelationship(DUMMY_WEB_ADDRESS, rRT, rId); + } else { + pkg.addRelationship(DUMMY_PACKAGE_PART_NAME, TargetMode.INTERNAL, rRT, rId); + } } private boolean isBlacklistedRelationType(String relationshipType) {