Javascript Unsafe Csv Injection Fs
Description
This detector identifies CSV injection vulnerabilities in JavaScript applications that use file system operations. CSV injection occurs when user-controlled data is written to CSV files without proper sanitization, allowing attackers to inject formulas or commands that execute when the CSV is opened in spreadsheet applications like Excel.
Detection Strategy
• Scans JavaScript code for file system write operations that handle CSV data
• Identifies calls to file system methods (like fs.writeFile, fs.writeFileSync, fs.appendFile) that write CSV content
• Detects when user input or external data is directly written to CSV files without sanitization
• Flags code where CSV data could contain formula injection payloads (starting with =, +, -, @) that would execute in spreadsheet applications
• Reports vulnerabilities when potentially dangerous data flows into CSV file operations without proper escaping or validation
Vulnerable code example
const fs = require('fs');
const express = require('express');
const app = express();
app.use(express.json());
app.post('/export/vulnerable', (req, res) => {
const { name, email } = req.body;...✅ Secure code example
const fs = require('fs');
const express = require('express');
const app = express();
app.use(express.json());
function sanitizeCSV(value) {
if (typeof value === 'string' && /^[=+\-@\t\r]/.test(value)) {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.