Typescript Unsafe Csv Injection Fs
Description
This detector identifies CSV injection vulnerabilities in TypeScript code when using filesystem operations. CSV injection occurs when untrusted user input is directly written to CSV files without proper sanitization, allowing attackers to inject malicious formulas or commands that execute when the CSV is opened in spreadsheet applications.
Detection Strategy
• Scans TypeScript source code for filesystem operations that write data to CSV files
• Identifies nodes in the code where data flows from user input sources to CSV file write operations
• Triggers a vulnerability report when untrusted input is written to CSV files without proper sanitization or validation
• Focuses on filesystem-related functions like writeFile, appendFile, or stream operations targeting CSV files
• Detects cases where user-controlled data could contain CSV injection payloads (formulas starting with =, +, -, @)
Vulnerable code example
import * as fs from 'fs';
import { Request, Response } from 'express';
import express from 'express';
const app = express();
app.use(express.json());
app.post('/export/vulnerable', (req: Request, res: Response): void => {...✅ Secure code example
import * as fs from 'fs';
import { Request, Response } from 'express';
import express from 'express';
const app = express();
app.use(express.json());
function sanitizeCSV(value: string): string {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.