CSV injection
Need
To protect against malicious injection of formulas into fields that are exported as part of CSV files and potentially interpreted by Excel or other spreadsheet software.
Context
• Usage of Elixir for building scalable and fault-tolerant applications
• Usage of Elixir CSV library for handling CSV files
• Exporting user-provided data to CSV files
Description
1. Non compliant code
defmodule VulnerableApp do
def create_csv(data, filename) do
{:ok, file} = File.open(filename, [:write])
Enum.each(data, fn row ->
IO.write(file, Enum.join(row, ",") <> "\n")
end)
File.close(file)
end...The following Elixir code writes user-provided data directly to a CSV file without sanitization. This allows a user to inject a formula, which could be executed when the CSV file is opened in a spreadsheet software.
2. Steps
• Sanitize user-provided data before exporting it to a CSV file.
• If the data includes numbers or strings that start with '=', '+', '-', '@', consider prepending the string with a single quote (') to prevent spreadsheet software from interpreting it as a formula.
3. Secure code example
defmodule SecureApp do
def create_csv(data, filename) do
{:ok, file} = File.open(filename, [:write])
Enum.each(data, fn row ->
sanitized_row = Enum.map(row, &sanitize_field/1)
IO.write(file, Enum.join(sanitized_row, ",") <> "\n")
end)
end...The following Elixir code sanitizes user-provided data by prepending any field starting with '=', '+', '-', '@' with a single quote, before writing it to a CSV file. This prevents any injected formulas from being interpreted by spreadsheet software.
References
• 090. CSV injection