0

After browsing a file I have to check if a csv file contains a formula or not in typescript or javascript. Please help with an npm module or a function, as I need to protect a file from CSV Injection before uploading a file. The below code is what I have tried so far, it is just giving me the string-like #VALUE!, #NAME!, etc. instead I want =B1+C1

var files = e.target.files; 
var file = files[0];
if(file) {
    var reader = new FileReader();
    reader.readAsText(file);
    reader.onload = (event: any) => {
        var csv = event.target.result;
        var string =  <string>csv ;
        if(string.replace(/\s+/, "").includes(',-') == true) {
            this.service.openSnackBar('PLEASE UPLOAD A VALID FILE','');
        } else if (string.includes("+") == true || string.includes("=")  == true) {
            this.service.openSnackBar('PLEASE UPLOAD A VALID FILE','');
            e.target.value = '';
        } else {
            // if valid upload to server
        }
    }
}
jonatjano
  • 3,576
  • 1
  • 15
  • 20
Ayjaz Sayed
  • 241
  • 1
  • 3
  • 11

1 Answers1

2

I was surprised to hear that CSVs could have embedded functions - I always thought that CSVs were simply text files, and relatively "safe" from vulnerabilities.

This is from OWASP (the Open Web Application Security Project):

https://owasp.org/www-community/attacks/CSV_Injection

This attack is difficult to mitigate, and explicitly disallowed from quite a few bug bounty programs. To remediate it, ensure that no cells begin with any of the following characters:

  • Equals to (“=”)
  • Plus (“+”)
  • Minus (“-“)
  • At (“@”)

So that's probably a good place to start:

  1. Read your .csv a line at a time and parse into columns (e.g. string.split(','))
  2. Ensure no column begins with any of the four characters above: =, +, - or @

Also read this post: Is there a way to programmatically insert formulas into a csv file using vb.net?

paulsm4
  • 114,292
  • 17
  • 138
  • 190