CWE-1236
Improper Neutralization of Formula Elements in a CSV File
AI Translation Available
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
Status
incomplete
Abstraction
base
Affected Platforms
Other
Technical Details
AI Translation
Common Consequences
confidentiality
Impacts
read application data
execute unauthorized code or commands
Detection Methods
automated static analysis
Potential Mitigations
Phases:
implementation
architecture and design
Descriptions:
•
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
•
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
•
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.