C# – Secure implementation that allows users to upload Excel documents


I currently have a website (ASP.NET 3.5, IIS 7.0) that allows users to upload Excel files for processing.

Should I be concerned with viruses and malicious code being executed when the document is opened?

We are currently using the .NET Office.Interop assemblies to fetch the information from the document. The information isn't exactly tabular and requires a little bit of interrogation to get it into the required format.

Once the document has been uploaded it will be stored in the database, only when the document is inspected is it written to disk.

Are there any recommendations that would provide a secure implementation?

Best Solution

Using the xlsx (Open XML) file format will be safer than using xls or xlsm since xlsx workbooks cannot contain macros.

You might consider using a pure .NET component which does not use COM Interop or any native calls and does not require FullTrust. SpreadsheetGear for .NET is an example of such a component.

Disclaimer: I own SpreadsheetGear LLC