Skip to content

Commit da38c6a

Browse files
sabiwarasabiwara
authored
Document OWASP official recommendations for CSV injections (#86)
1 parent 2b4a5e0 commit da38c6a

File tree

1 file changed

+12
-7
lines changed

1 file changed

+12
-7
lines changed

lib/nimble_csv.ex

Lines changed: 12 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -209,8 +209,8 @@ defmodule NimbleCSV do
209209
`:separator`, `:newlines`, and `:escape` characters above
210210
* `:escape_formula` - the formula prefix(es) and formula escape sequence,
211211
defaults to `nil`, which disabled formula escaping
212-
`%{~w(@ + - =) => "\t"}` would escape all fields starting with `@`, `+`,
213-
`-` or `=` using `\t`
212+
`%{["@", "+", "-", "=", "\t", "\r"] => "'"}` would escape all fields starting
213+
with `@`, `+`, `-`, `=`, tab or carriage return using the `'` character.
214214
215215
Although parsing may support multiple newline delimiters, when
216216
dumping, only one of them must be picked, which is controlled by
@@ -228,17 +228,22 @@ defmodule NimbleCSV do
228228
By default, the dumper does not escape values which some clients may interpret
229229
as formulas or commands. This can result in
230230
[CSV injection](https://owasp.org/www-community/attacks/CSV_Injection).
231+
231232
There is no universally correct way to handle CSV injections. In some cases,
232233
you may want formulas to be preserved: you may want a cell to have a value of
233234
`=SUM(...)`. The only way to escape these values is by materially changing
234235
them by prefixing a tab or single quote, which can also lead to false positives.
235236
236237
The `escape_formula` option will add a prefix to any value which has the
237-
configured prefix (e.g. it will prepend `\t` to any value which begins with
238-
`@`, `+`, `-` or `=`). Applications that want more control over this process,
239-
to allow formulas in specific cases, or possibly minimize false positives,
240-
should leave this option disabled and escape the value, as necessary, within
241-
their code.
238+
configured prefix (e.g. it will prepend `'` to any value which begins with
239+
`@`, `+`, `-`, `=`, tab or carriage return). Use the following config to
240+
follow the [OWASP recommendations](https://owasp.org/www-community/attacks/CSV_Injection):
241+
242+
escape_formula: %{["@", "+", "-", "=", "\t", "\r"] => "'"}
243+
244+
Applications that want more control over this process, to allow formulas in specific
245+
cases, or possibly minimize false positives, should leave this option disabled and
246+
escape the value, as necessary, within their code.
242247
"""
243248
def define(module, options) do
244249
defmodule module do

0 commit comments

Comments
 (0)