How do I update files before uploading to prevent CSV Injection?

lukejpreston commented 1 year ago

We trying to sanitise CSV and Spreadsheets to prevent CSV injection, the OWASP link with details on the vulnerability is here

Our proposed solution is:

Set exposeOriginalFile: true
Use the onFileSelected hook to get the file before it is uploaded
Sanitise the originalFile
return {...file, originalFile} as part of the onFileSelected callback if the file has been changed

Expected Behavior

It should upload the changed file

Current Behavior

It uploads the original file, not the changed one

Possible Solution

The ideal solution is to upload the new file as part of the flow
I have also sent an email asking Filestack engineers (maybe this team) whether their virus detection extension could handle this

Context

Here is the code we are using

const onFileSelected = async (file) => {
    let { originalFile } = file;
    if (isVaunerable(originalFile)) originalFile = sanitise(originalFile)
    return { ...file, originalFile };
  };

We have checked a couple of things to debug this

Changing something, like name changes the uploaded file, this works as expected
Deleting the original file or changing it to a string text file, this does nothing

Your Environment

Version used: "filestack-js": "^1.5.1"
Browser Name and version: All
Operating System and version (desktop or mobile): MacOS 12.6

Pralish commented 4 months ago

Hey @lukejpreston , I have a similar requirement. Were you able to make this work? Thank you

lukejpreston commented 4 months ago

@Pralish We never got a satisfactory solution for this. Not all files with functions have CSV injections, and customers would upload legitimate functions and styles in their spreadsheets. Editing files would destroy the functionality. Our solution is to put a warning message up for users. This could be better, but we needed help finding libraries or virus detection tools to find CSV injections.

Some things we found which might be helpful

FileStack has a virus checker (it doesn't catch these issues). If you are executing uploaded files (in-app, server, your machine), it is a good idea to set this up for all possible viruses
If your app generates CSVs from user input, make sure to add ' to their input to prevent any CSV injection
Most tools ask for permission to execute scripts from a CSV. We recommend clients use secure tools to handle their own files

filestack / filestack-js