Rule that detects CSV formula injection

ahofman · July 18, 2024, 6:56am

Create a rule that detects code that is writing untrusted data directly to a CSV file or an Excel file without escaping or sanitizing it first.

Untrusted data may contain a formula injection attempt, which can cause a spreadsheet application such as Excel to execute arbitrary commands on the victims machine when the file is opened. See this OWASP article for details.

Noncompliant code:

var stringBuilder = new StringBuilder();
stringBuilder.AppendLine("UserName,Email");
stringBuilder.AppendLine($"{user.Name},{user.Email}");
var csvOutput = stringBuilder.ToString();

Compliant code:

TBD?

I feel that CSV formula injection is a very common security issue, and remediating it fully is not well understood.

Alexandre_Gigleux · July 30, 2024, 8:50am

Hello,

Thanks for the suggestion. I’ve noted it. Let’s see if this feature gets more traction than other opportunities we already identified.

Alex

Topic		Replies	Views
javasecurity:S5145 unclear example compliant solution Report False-positive / False-negative... java , security	9	1070	July 19, 2023
SQLi not detected when using StringBuilder for query SonarQube Server / Community Build java , sonarqube , security , false-negative	6	4209	July 16, 2021
SonarCloud SAST SonarQube Cloud csharp , security , sonarqube-cloud	10	4632	January 24, 2020
Missing rules to detect XSS and html injection in java servlets New rules / language support java , security	3	2210	March 12, 2019
Security rule does not trigger: S5135 (Deserialization should not be vulnerable to injection attacks) Report False-positive / False-negative... java , security , taint-analysis	8	1042	September 22, 2022

Rule that detects CSV formula injection

Related topics