Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Security Vulnerability - Potential CSV Injection attack via Export as CSV chart action #1521

Closed
1 task done
justindm234 opened this issue Mar 8, 2023 · 1 comment · Fixed by #1712
Closed
1 task done

[Bug]: Security Vulnerability - Potential CSV Injection attack via Export as CSV chart action #1521

justindm234 opened this issue Mar 8, 2023 · 1 comment · Fixed by #1712
Labels
type: bug 🐛 Something isn't working

Comments

@justindm234
Copy link

Name

Justin Miller

Are you an IBM employee?

  • Yes

Contact Details

[email protected]

What happened?

The "Export as CSV" action does not sanitize CSV output against potential CSV Injection attacks. For example, I was able to name my chart data groups such that Excel attempts to launch an application when opening the exported CSV (demo).

This issue raised by our PEN testers. In my product, chart group names are dynamically defined based on customer-entered values (object names). The issue is a malicous user could take an action (name an object) that would result in another user exporting malicious CSV. If that second user opened that CSV in Excel (common on many computers), the second user would be attacked. As a result, my team had to disable the "Export as CSV" option.

Malicious CSV output example (created by demo) - myChart.csv

Newer versions of Excel protect against these attacks, but older versions may not - image

Version

@carbon/[email protected]

Data & options used

const lineData = [
  {
    group: "=10+20+cmd|' /C calc'!A0", // CSV Injection payload
    key: "Qty",
    value: 20000
  },
  {
    group: "=10+20+cmd|' /C calc'!A0",
    key: "More",
    value: 23500
  },
  {
    group: "=10+20+cmd|' /C calc'!A0",
    key: "Sold",
    value: 53100
  }
];

const lineChartProps = {
  data: lineData,
  options: {
    title: "Line (discrete)",
    axes: {
      bottom: {
        title: "2019 Annual Sales Figures",
        mapsTo: "key",
        scaleType: "labels"
      },
      left: {
        mapsTo: "value",
        title: "Conversion rate",
        scaleType: "linear"
      }
    },
    height: "400px"
    // toolbar: customToolbar ? toolbar(true, lineChartRef, isSessionLocal, showModal) : undefined
  }
};

Relevant log output

No response

Codesandbox example

https://codesandbox.io/s/carbon-charts-csv-injection-djcnye?file=/src/index.js

What priority level would this be in your opinion?

P0
@justindm234 justindm234 added the type: bug 🐛 Something isn't working label Mar 8, 2023
@theiliad theiliad moved this to In Progress in @carbon/charts Aug 23, 2023
@justindm234
Copy link
Author

Any updates on this issue? I'm surprised this isn't being handled like a PSIRT.

@theiliad theiliad mentioned this issue Dec 28, 2023
Merged
@github-project-automation github-project-automation bot moved this from 🏗 In Progress to ✅ Done in @carbon/charts Dec 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug 🐛 Something isn't working
Projects
@carbon/charts
Status: ✅ Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(html & CSV): sanitize user input theiliad/carbon-charts
1 participant
@justindm234