Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Protection against CSV injection attacks
See original GitHub issueWhen importing a CSV file, Microsoft Excel and LibreOffice Calc will both interpret cells beginning with a = as formulae, which can lead to attacks that can result in data exfiltration or arbitrary command execution. [1] This is easily remedied by prefixing cells that begin with =, +, - or @ with a ' in order to suppress automatic interpretation of formulae by these softwares. [2]
I would like to propose an option escapeFormulae for Papa.unparse to provide this prefixing behaviour.
Thanks!
[1] https://owasp.org/www-community/attacks/CSV_Injection [2] https://www.contextis.com/en/blog/comma-separated-vulnerabilities
Issue Analytics
- State:
- Created 3 years ago
- Reactions:3
- Comments:15 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hi there! 👋
My name is Asaf and I’m part of the Snyk Security Team. We have been tracking this issue for a few days now, and an advisory has been mistakenly published. I tend to agree with all the above arguments and do not believe there is a vuln within the context of
papaparse.I have therefore revoked this advisory from our database. I apologize for any inconvenience caused by this.
For further inquiries please don’t hesitate to contact us at report@snyk.io or using the vulnerability disclosure form.
I think interpretation of the data is out of scope for a CSV parser and lends itself to more security problems, not less.