CSV injection
Description
It is possible to inject formulas into fields that are later exported as part of CSV files and can be interpreted by Excel.
Impact
Inject code into fields to create malicious formulas.
Recommendation
Sanitize all the fields that will be exported to the server when the exported file is generated.
Threat
Authenticated attacker from the Internet.
Expected Remediation Time
โ 15 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the vulnerability.
Base
- Attack vector: L
- Attack complexity: L
- Privileges required: L
- User interaction: N
- Scope: U
- Confidentiality: L
- Integrity: L
- Availability: L
Temporal
- Exploit code madurity: X
- Remediation level: X
- Report confidence: X
Result
- Vector string: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X
- Score:
- Base: 5.3
- Temporal: 5.3
- Severity:
- Base: Medium
- Temporal: Medium
Code Examples
Compliant code
All input csv files have their fields validated to avoid input formulas
function loadFiles(csvFile) {
// User csv file could contain harmful fields
inputCsv = new InputSource(csvFile);
//Function to sanitize csv file, escaping characters such as \= and cleaning the data
try sanitizeFile(inputCsv){
dataToServer = convertXls(inputCsv);
upLoadFile(csvFile, credentials, server);
}catch (e){
Exception "Your file could not be uploaded";
}
}
Non compliant code
An input csv file is not correctly validated before uploading into the application system
function loadFiles(csvFile) {
// User csv file could contain harmful fields
inputCsv = new InputSource(csvFile);
dataToServer = convertXls(inputCsv);
//File being uploaded to server as xls file
upLoadFile(csvFile, credentials, server);
}