CSV Formula Injection

Ivan Firoavanti asked on November 8, 2018

Hello,
is there a way to avoid CSV formula injection when exporting XSLX ?
Usually, it should be enough using a single quote as prefix (‘) to avoid evil formulas to be executed, but I cannot find a way to do this through your APIs. Could you please advise ? thanks a lot

4 answers

Public
Dmytro Zvazhii Flexmonster November 8, 2018

Hi Ivan!
Thank you for your question. 
Yes, we will add this check in the next minor release 2.6.9 (ETA Dec, 03)
Regards,
  Dmytro

Public
Dmytro Zvazhii Flexmonster December 4, 2018

Hello Ivan,
We are glad to inform you that we have already released an update which prevents an exported Excel formulas from executing.
You are welcome to update the component and try it.
Regards,
Dmyrto

Public
Ivan Firoavanti January 15, 2019

Hi Dmytro,
sorry for the late reply. I see that if you export a “malicious” as Excel it works, but if you try to download a csv file and open it with Excel the problem still persists. Of course you have different warnings telling you that the source is not safe, but basically a formula like this one: =cmd|’/C notepad’!’A1’is not streamed with the ‘ prefix
We are currently using v2.6.9, has this been enhanced in next versions like 2.6.12 ? 
Thanks a lot for your help
Have a nice day!
 

Public
Dmytro Zvazhii Flexmonster January 16, 2019

Hello Ivan,
Thank you for writing to us. There were no updates to CSV export regarding Excel formulas injections.
We will add the necessary improvement to CSV export functionality in the minor release ETA Feb 25.
Regards,
Dmytro

Please login or Register to Submit Answer