python.lang.security.unquoted-csv-writer.unquoted-csv-writer

Verifed by r2c
Community Favorite
profile photo of semgrepsemgrep
Author
156,288
Download Count*
LGPL Commons Clause
License

This rule is deprecated.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: unquoted-csv-writer
    patterns:
      - pattern: a()
      - pattern: b()
    message: This rule is deprecated.
    metadata:
      cwe:
        - "CWE-1236: Improper Neutralization of Formula Elements in a CSV File"
      owasp: A01:2017 - Injection
      references:
        - https://github.com/returntocorp/semgrep-rules/issues/2351
      category: security
      technology:
        - python
      deprecated: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Validation
    fix-regex:
      regex: (.*)\)
      replacement: \1, quoting=csv.QUOTE_ALL)
    languages:
      - python
    severity: ERROR

Examples

unquoted-csv-writer.py

import csv

csv.writer(csvfile, delimiter=',', quotechar='"')
csv.writer(csvfile, delimiter=',', quotechar='"', quoting=csv.QUOTE_ALL)
csv.writer(csvfile, delimiter=',', quotechar='"', quoting=1)
csv.writer(csvfile, dialect='unix')
csv.writer(csvfile, dialect=csv.unix_dialect)