CSV/Formula Injection vulnerability in Buttons extension

CSV/Formula Injection vulnerability in Buttons extension

dcookdcook Posts: 3Questions: 0Answers: 0

If a DataTable cell has an Excel formula (e.g. =SUM(1+1) or =cmd|' /C notepad'!'A1'), the exported CSV (but not the exported XLSX) will execute the formula when opened in Microsoft Excel. (For macros, security should typically prevent it actually running in default scenarios, but it will at the very least prompt.)

In many cases, this can be seen as a security vulnerability. OWASP documents it here: https://owasp.org/www-community/attacks/CSV_Injection

(I work on a downstream project that uses DataTables and we've gotten a CVE opened against our project, but the vulnerability comes from the DataTables Buttons extension.)

This was previously discussed a bit in 2019 at https://datatables.net/forums/discussion/57856/excel-command-injection but happy to provide more information here.

The Perl library Text::CSV_XS handles this issue by adding a config option called "formula" to allow a range of different handling of cells containing formulas. That could be a useful addition to the Buttons extension: https://metacpan.org/release/HMBRAND/Text-CSV_XS-1.56/view/CSV_XS.pm#formula

Happy to provide more information as required.

Many thanks. Long time listener, first time caller!

Replies

  • dcookdcook Posts: 3Questions: 0Answers: 0

    Sorry, I meant to say that I've experienced this with DataTables 1.x. We haven't had the time to upgrade to DataTables 2.x yet, although I suspect that it's probably still a problem in 2.x as well. Can't guarantee that though.

  • dcookdcook Posts: 3Questions: 0Answers: 0
    edited October 17

    It looks like if a cell contains a field boundary it will be escaped in the _exportData function (https://github.com/DataTables/Buttons/blob/master/js/buttons.html5.js#L274), so that could be a good place to add some formula handling too.

    My current plan is to use that formatter suggestion from 2019, which should be an OK workaround, but it would be great to have optional handling in the upstream itself.

    const unsafeCharacters = /^[=+\-@\t\r]/;
    if (unsafeCharacters.test(str)) {
    str= "'" + str;
    }
    
  • allanallan Posts: 63,489Questions: 1Answers: 10,470 Site admin

    Thank you for your call. I'm listening :)

    I've committed a change to address this, which adds a new escapeExcelFormula option to the export data method (buttons.exportData()). That is enabled for the CSV export. I've put an example of that here: https://live.datatables.net/balobose/1/edit .

    It will be included in the Buttons 3.2.0 release.

    Allan

Sign In or Register to comment.