python.lang.security.use-defusedcsv.use-defusedcsv

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*
LGPL Commons Clause
License

Detected the generation of a CSV file using the built-in csv module. If user data is used to generate the data in this file, it is possible that an attacker could inject a formula when the CSV is imported into a spreadsheet application that runs an attacker script, which could steal data from the importing user or, at worst, install malware on the user's computer. defusedcsv is a drop-in replacement with the same API that will attempt to mitigate formula injection attempts. You can use defusedcsv instead of csv to safely generate CSVs.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: use-defusedcsv
    patterns:
      - pattern: csv.writer(...)
      - pattern-not: defusedcsv.writer(...)
    message: Detected the generation of a CSV file using the built-in `csv` module.
      If user data is used to generate the data in this file, it is possible
      that an attacker could inject a formula when the CSV is imported into a
      spreadsheet application that runs an attacker script, which could steal
      data from the importing user or, at worst, install malware on the user's
      computer. `defusedcsv` is a drop-in replacement with the same API that
      will attempt to mitigate formula injection attempts. You can use
      `defusedcsv` instead of `csv` to safely generate CSVs.
    metadata:
      cwe:
        - "CWE-1236: Improper Neutralization of Formula Elements in a CSV File"
      owasp:
        - A01:2017 - Injection
        - A03:2021 - Injection
      references:
        - https://github.com/raphaelm/defusedcsv
        - https://owasp.org/www-community/attacks/CSV_Injection
        - https://web.archive.org/web/20220516052229/https://www.contextis.com/us/blog/comma-separated-vulnerabilities
      category: security
      technology:
        - python
      confidence: LOW
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    fix-regex:
      regex: csv
      replacement: defusedcsv
    languages:
      - python
    severity: INFO

Examples

use-defusedcsv.py

import csv

with open("file", 'r') as fin:
    # ok: use-defusedcsv
    reader = csv.reader(fin)

with open("file", 'w') as fout:
    # ruleid: use-defusedcsv
    writer = csv.writer(fout, quoting=csv.QUOTE_ALL)

import defusedcsv as csv

with open("file", 'w') as fout:
    # ok: use-defusedcsv
    writer = csv.writer(fout)