CWE-1236 Detail

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

Background Details

User-provided data is often saved to traditional databases. This data can be exported to a CSV file, which allows users to read the data using spreadsheet software such as Excel, Numbers, or Calc. This software interprets entries beginning with '=' as formulas, which are then executed by the spreadsheet software. The software's formula language often allows methods to access hyperlinks or the local command line, and frequently allows enough characters to invoke an entire script.

Modes Of Introduction

Implementation : The weakness is in the implementation of a software's CSV export feature, in particular how it formats formula entries as the output gets flattened into a text file.

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Operating Systems

Class: Not OS-Specific (Undetermined)

Architectures

Class: Not Architecture-Specific (Undetermined)

Technologies

Name: Other (Undetermined)

Common Consequences

Observed Examples

Potential Mitigations

Phases : Implementation
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Phases : Implementation
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Phases : Architecture and Design
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

Detection Methods

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness : High

Vulnerability Mapping Notes

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

References

REF-21

CSV Injection
OWASP.
https://owasp.org/www-community/attacks/CSV_Injection

REF-22

Data Extraction to Command Execution CSV Injection
Jamie Rougvie.
https://www.veracode.com/blog/secure-development/data-extraction-command-execution-csv-injection

REF-23

The Absurdly Underestimated Dangers of CSV Injection
George Mauer.
https://georgemauer.net/2017/10/07/csv-injection.html

REF-24

Comma Separated Vulnerabilities
James Kettle.
https://rstforums.com/forum/topic/82690-comma-separated-vulnerabilities/

Submission

Modifications