Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
The library is vulnerable to the CSV injection
See original GitHub issueSteps:
- create a worksheet with a cell with the text
=CONCATENATE("1";"2") - export as CSV (I used
XLSX.writeFile(wb, 'test.csv')) - open in MS Excel
Expected result:
- the cell is rendered as
=CONCATENATE("1";"2")
Actual result:
- the cell is rendered as
12
Issue Analytics
- State:
- Created 5 years ago
- Comments:10 (5 by maintainers)
Top Results From Across the Web
CSV Injection - OWASP Foundation
CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program such as Microsoft ......
Read more >CSV Injection in csv-safe | CVE-2022-28481 | Snyk
Affected versions of this package are vulnerable to CSV Injection by not filtering out special characters ( % and | ).
Read more >The Absurdly Underestimated Dangers of CSV Injection
CSV files contain passive text data that should not pose any risks. So even by specification, it should all be fine. Hey, just...
Read more >What is CSV Injection? - GeeksforGeeks
Aim: CSV Injection Attacks include breaching system security by attacking computer network vulnerability. Over-populating malicious content into ...
Read more >What is CSV Injection (Formula Injection) ? - Affinity IT Security
CSV Injection Vulnerability Summary ... CSV Injection stems from the fact that CSV files can contain cell values that represent formulas and that ......
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@gus-sosa if you have time, and can wrap that up in a small function, feel free to add it to the wiki page
Yes, it is. But I assume we could make the escaping of special characters a part of the library. We could enable/disable it by passing a flag into the
writefunction for example.