Typescript Unsafe Csv Injection Fast Csv
Description
This detector identifies CSV injection vulnerabilities in TypeScript code when using the fast-csv library. CSV injection occurs when untrusted user input is written to CSV files without proper sanitization, allowing attackers to inject formulas or commands that could execute when the CSV is opened in spreadsheet applications.
Detection Strategy
• Identifies usage of fast-csv library functions that write or format CSV data
• Analyzes data flow to determine if user-controllable input reaches CSV writing operations
• Reports vulnerabilities when untrusted input (from HTTP requests, user input, external sources) flows into fast-csv functions without proper validation or sanitization
• Focuses on scenarios where malicious CSV payloads could be injected through application inputs and written to output files
Vulnerable code example
import * as fs from 'fs';
import { Request, Response } from 'express';
import express from 'express';
import * as fastCsv from 'fast-csv';
const app = express();
app.use(express.json());
...✅ Secure code example
import * as fs from 'fs';
import { Request, Response } from 'express';
import express from 'express';
import * as fastCsv from 'fast-csv';
const app = express();
app.use(express.json());
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.