sonata-project / exporter

Lightweight Exporter library
https://docs.sonata-project.org/projects/exporter
MIT License
438 stars 88 forks source link

Prevent CSV and XLS injection in Writers #429

Open timwentzell opened 3 years ago

timwentzell commented 3 years ago

Feature Request

The export functionality of this bundle allows users to download data in a .csv or .xls file suitable for handling in spreadsheet applications like Microsoft Excel and OpenOffice Calc. The resulting spreadsheet's cells often contain input from untrusted sources such as survey responses, transaction details, and user-supplied content. This is inherently risky, because any cells starting with certain special characters will be interpreted by the spreadsheet software as formulas which can be used to execute payloads. These payloads can compromise a user's system by downloading and running malware as well as giving command line access to a compromised system.

If exported data cells were to contain payloads such as =cmd|' /C calc'!A0 in a CSV or XLS file generated by the this bundle, this payload becomes embedded within that file and will attempt to run upon being opened (mainly on Windows systems). The payload in this example will open the Windows calculator should a user open the file and accept two prompts (unfortunately many users would do this without questioning it).

See https://owasp.org/www-community/attacks/CSV_Injection for more.

Attempting to sanitize data for this specific purpose upon input would be cumbersome as it may come from various input sources. I suggest doing a simple regex filter within the Writer methods for both file formats. I currently have this implemented in another project that is using sonata-project/exporter:^1.11 by overriding the write(array $data) method in each Writer class - however in sonata-project/exporter:^2.0 these Writer classes are now marked as final - so I figure the best solution is to propose this as a security feature update to the Sonata Exporter bundle so we can all benefit from it.

github-actions[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.