Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

xslx formula injection

See original GitHub issue

There is a formula injection bug in pytablewriter:

from pytablewriter import ExcelXlsxTableWriter, JsonTableWriter, HtmlTableWriter, ExcelXlsTableWriter

VALUES = [
    # These ones are OK:
    (HtmlTableWriter, "html"),
    (JsonTableWriter, "json"),
    (ExcelXlsTableWriter, "xls"),
    # Injection on this class:
    (ExcelXlsxTableWriter, "xlsx"),
]

for (Writer, extension) in VALUES:
    writer = Writer()
    writer.table_name = "test"
    writer.headers = ["x"]
    writer.value_matrix = [["=cmd|' /C notepad'!'A1'"]]
    writer.dump("test." + extension)

Note how the content of test.xslx is different of the content of the other generated files (including test.xsl): the input is expanded into a formula instead of being treated a plain text.

This is a security issue: it can be abused to trigger shell command injection or data exfiltration from Excel/LibreOffice. See [1,2,3] for examples of data exfiltration and shell command execution. The examples are in the context of CSV injection but the same payloads can be used here.

[1] https://www.notsosecure.com/data-exfiltration-formula-injection/ [2] http://georgemauer.net/2017/10/07/csv-injection.html [3] https://youtu.be/C1o5uVOaufU?t=364

Issue Analytics

State:
Created 4 years ago
Comments:5 (3 by maintainers)

Top GitHub Comments

1reaction

thombashicommented, Feb 5, 2020

I had added an interface to escape formula injection at pytablewriter 0.47.0

0reactions

randomstuffcommented, Mar 20, 2020

For CSV files, it’s not clear to me what should be done about it. In this case, it’s really more a problem of a consumer that a problem of a producer in my opinion. There is no notion of formula in CSV. All we can so is to use hackish workarounds which could break some input data. I’d think that using .xslx instead of CSV as output might be a way to avoid the problem of injection when targeting spreadsheets programs which might be vulnerable to this sort of things.

For .xls files, I don’t know if it is possible to do something similar to what I’m proposing.

Top Results From Across the Web

Formula Injection - Pentestmag

A Formula Injection (or Spreadsheet Formula Injection) vulnerability affects applications that export spreadsheet files which are dynamically constructed from ...

Formula Injection | Exploiting CSV functionality

Formula Injection or CSV Formula Injection vulnerability affects applications when websites embed untrusted input inside CSV files.

Formula/CSV/Doc/LaTeX Injection - HackTricks

So the attacker tries to perform CSV injection attack through the web application. The attacker need to steal other student's details.

Your Excel Sheets Are Not Safe! Here's How to Beat CSV ...

CSV Injection occurs when the data in a spreadsheet cell is not properly validated prior to export. The attacker usually injects a malicious ......

Server-Side Spreadsheet Injection - Formula Injection to…

Case #1 Google Sheets Injection · Case #2 Server-side Formula Injection to Remote Code Execution · Second Application · Conclusion · You might...