CSV injection - C-Sharp

CSV injection - C-Sharp

Need

Prevention of CSV injection attacks

Context

  • Usage of C# for building robust and scalable applications
  • Usage of System for managing system-level operations and resources
  • Usage of System.IO for Input/Output operations in .NET development
  • Usage of System.Text for text encoding and decoding operations
  • Usage of Microsoft.AspNetCore.Mvc for building web applications with ASP.NET Core

Description

Non compliant code

        using System;
using System.IO;
using System.Text;
using Microsoft.AspNetCore.Mvc;

namespace VulnerableApp.Controllers
{
    public class ExportController : Controller
    {
        [HttpGet]
        public IActionResult ExportData()
        {
            var csv = new StringBuilder();

            // Assume we get data from database.
            var data = new[]
            {
                new {Id = 1, Name = "John", Email = "john@example.com"},
                new {Id = 2, Name = "Jane", Email = "jane@example.com"}
            };

            foreach (var item in data)
            {
                var newLine = $"{item.Id},{item.Name},{item.Email}";
                csv.AppendLine(newLine);
            }

            return File(new MemoryStream(Encoding.UTF8.GetBytes(csv.ToString())), "text/csv", "Data.csv");
        }
    }
}
        
        

The above code is a simple implementation of a method in a controller that exports data to a CSV file in an ASP.NET Core application. The data is assumed to be retrieved from a database, and then it is written to a CSV string line by line. Each line contains the id, name, and email of a user, separated by commas.

The vulnerability lies in the fact that the data is directly written to the CSV without any checks or sanitization. This allows for CSV Injection attacks.

An attacker could inject a malicious formula as part of the user data (for instance, in the Name or Email field). When this data is exported and the CSV file is opened in a spreadsheet program like Excel, the formula will be executed. This can lead to various security issues, such as data exfiltration, remote code execution, etc.

For instance, if an attacker enters =1+1 as their name, when the CSV is opened in Excel, the cell will display 2 instead of =1+1. This is a simple example, but the formula could be much more dangerous, like =CMD|' /C calc'!A0 which can lead to remote code execution.

Steps

  • Sanitize the data before adding it to the CSV file.
  • Use a library or built-in functionality to generate the CSV file instead of manually constructing it.
  • Ensure that the generated CSV file is properly formatted and does not allow the injection of formulas.
  • Validate and restrict the input data to prevent any malicious content from being included in the CSV file.
  • Educate developers about the risks of CSV injection and provide guidelines on secure coding practices.

Compliant code

        using System;
using System.IO;
using System.Text;
using Microsoft.AspNetCore.Mvc;

namespace VulnerableApp.Controllers
{
    public class ExportController : Controller
    {
        [HttpGet]
        public IActionResult ExportData()
        {
            var csv = new StringBuilder();

            // Assume we get data from database.
            var data = new[]
            {
                new {Id = 1, Name = "John", Email = "john@example.com"},
                new {Id = 2, Name = "Jane", Email = "jane@example.com"}
            };

            foreach (var item in data)
            {
                var newLine = $"{item.Id},{Sanitize(item.Name)},{Sanitize(item.Email)}";
                csv.AppendLine(newLine);
            }

            return File(new MemoryStream(Encoding.UTF8.GetBytes(csv.ToString())), "text/csv", "Data.csv");
        }

        private string Sanitize(string input)
        {
            if (input.StartsWith("=") || input.StartsWith("+") || input.StartsWith("-") || input.StartsWith("@"))
            {
                return "'" + input;
            }

            return input;
        }
    }
}
        
        

The above code fixes the CSV Injection vulnerability by sanitizing the data before adding it to the CSV file. The Sanitize method checks if the input string starts with any of the characters that can be used to inject formulas into CSV files ( =, +, -, @). If it does, it prepends a single quote ( ') to the input string. This single quote will be interpreted by Excel as an indicator that the following content should be treated as a string, preventing any formulas from being executed.

This solution also adheres to the principle of using built-in functionality to generate the CSV file instead of manually constructing it. The StringBuilder class is used to construct the CSV file, ensuring that it is properly formatted and does not allow the injection of formulas.

Furthermore, this solution validates and restricts the input data to prevent any malicious content from being included in the CSV file. The Sanitize method ensures that only safe data is included in the CSV file.

Finally, it is important to educate developers about the risks of CSV injection and provide guidelines on secure coding practices. This solution serves as an example of how to securely generate CSV files in ASP.NET Core.

References