1

Microsoft Excel supports Python scripts (source).

VBScript Macros within Excel are known to be a security risk (source). If I read this emotet article right, then VBScript macros allow arbitrary code execution.

Do the included Python scripts have the same security issues as Excel VBScript Macros? Are the Python scripts sandboxed / restricted in any way?

I don't have Microsoft Excel myself, hence I cannot simply try. I'd be especially curious if external requests (urllib3) or system execution (sys.exec) are possible.

It seems that a few external libraries can be used. But the set seems to closed, e.g. not arbitrary software can be used. As beautifulsoup4 is in that list, I would guess that external requests can be made.

Improve this question
4
  • 1
    Please read the source you link to until the end and then you will find a link to Data security and Python in Excel. Same link you get when you search for python excel security. There you can read about the security aspects. To cite a specific one: "The Python code does not have network access.".
    – Steffen Ullrich
    CommentedDec 14, 2023 at 18:37
  • 1
    Sounds like the sandbox would be similar to VBA in Excel running in the "cloud". Security-wise you should consider whether exposing your excel file to any "cloud" is acceptable.
    – browsermator
    CommentedDec 14, 2023 at 19:12
  • @SteffenUllrich Your link answers my question. Do you want to make it an answer or should I?
    – Martin Thoma
    CommentedDec 15, 2023 at 7:51
  • 1
    @MartinThoma: From my understanding the answer is too easy to find and basically contained in what you link to. So I don't see an added value of adding my own answer here. But feel free to do it yourself.
    – Steffen Ullrich
    CommentedDec 15, 2023 at 11:13

1 Answer 1

Reset to default
2

Microsoft provides the support page Data security and Python in Excel that answers most of this question:

Python in Excel runs in the Microsoft Cloud with the following attributes:

  1. The Python code does not have network access.
  2. The Python code does not have access to your computer, devices, or account.
  3. The container has Python and a curated set of secured libraries provided by Anaconda.
Improve this answer

    You must log in to answer this question.

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.