Javascript Unsafe Csv Injection Csv Writer
Description
This detector identifies CSV injection vulnerabilities in JavaScript code when using CSV writer functions. CSV injection occurs when untrusted user input is directly written to CSV files without proper sanitization, allowing attackers to inject malicious formulas or commands that could be executed when the CSV is opened in spreadsheet applications.
Detection Strategy
• Scans JavaScript source code for CSV writer library usage and method calls
• Identifies locations where data is being written to CSV format using writer methods or similar CSV generation functions
• Checks if the data being written to CSV comes from user-controlled sources without proper sanitization
• Reports a vulnerability when untrusted input is directly passed to CSV writer functions without validation or escaping of potentially dangerous characters like =, +, -, or @
Vulnerable code example
const { createObjectCsvWriter } = require('csv-writer');
const csvWriter = createObjectCsvWriter({
path: 'output.csv',
header: [
{ id: 'name', title: 'NAME' },
{ id: 'comment', title: 'COMMENT' }
]...✅ Secure code example
const { createObjectCsvWriter } = require('csv-writer');
function sanitizeCSV(value) {
if (typeof value === 'string' && /^[=+\-@\t\r]/.test(value)) {
return "'" + value; // Prefix with quote to prevent formula injection
}
return value;
}...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.