Contrib.social
Created on 21 June 2022, over 2 years ago
Updated 8 November 2023, about 1 year ago

Problem/Motivation

Many modern web applications allow data to be exported as comma-separated values (CSV) files for use in other
applications. The data that is exported often contains user-supplied values, such as registration details, feedback
responses, or transaction details. CSV injection occurs when these values contain metacharacters that cause
applications such as Microsoft Excel to evaluate the contents of a cell as a formula

CSV Injection can allow an attacker to run unauthorised commands to attack other users of the application, or to
exfiltrate sensitive data by concatenating the values of other cells then appending these to a URL parameter in an
HTTP request to an attacker-controlled server.

Steps to reproduce

Enter the text "=1+1" into a text field and then export to a CSV file. The display will show "2"

Proposed resolution

Ensure that any data beginning with “=”, “+”, “-“, or “@” that may be exported to CSV is prepended with an
apostrophe to prevent formula injection.

🐛 Bug report
Status

Needs review

Version

1.0

Component

Code

Created by

🇳🇿New Zealand jlscott

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Open in Jenkins → Open on Drupal.org →
    Core: 9.5.x + Environment: PHP 8.0 & MySQL 5.7
    last update about 1 year ago
    3 pass
  • Comment about 1 year ago
    🇺🇸United States cindytwilliams Nashville, TN

    This is happening for this module as well. Here is a patch that strips the characters '=', '+', '-', or '@' from the beginning of any data cell before it gets exported, which prevents formulas from executing inside of a spreadsheet.

  • Open in Jenkins → Open on Drupal.org →
    Core: 9.5.x + Environment: PHP 8.0 & MySQL 5.7
    last update about 1 year ago
    3 pass
  • Comment about 1 year ago
    🇺🇸United States cindytwilliams Nashville, TN

    I changed this to use a different approach. It now uses a regular expression to add a space in front of the formula characters, rather than stripping them out.

  • Comment 4 months ago
    🇺🇸United States JonMcL Brooklyn, NY

    Not sure this is working. I set a field value to be =SUM(1,3) and the CSV file had "=SUM(1,3)" for that column.

    But, most importantly, this patch will only work when the output is a CSV file. There are other options with this module, such as XLSX, and this patch will actually alter the data in such a way that it will no longer be a valid XLSX file.

  • Comment about 1 month ago
    🇮🇳India prasanth_kp

    This patch will only work for CSV format, and for other formats like XLSX, it may cause the file to become invalid. If you're using the CSV Serialization module for exporting data, we can implement a patch there to address this issue, so that it will not affect the XLSX file.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024