https://bugs.limesurvey.org/view.php?id=19252

========
When using a spreadsheet program like Microsoft Excel or LibreOffice Calc to open a CSV file, the software interprets any cell that begins with "=" as a formula. CSV injection, also known as formula injection, occurs when websites incorporate user-supplied data into CSV files without proper validation.

It has been detected the possibility of injecting CSV formulas into the titles of survey quotas, which can subsequently be exported to CSV.

To mitigate this vulnerability, it is recommended to validate the input entered by a user to ensure that no cell begins with any of the following characters:

Equal to ("=")
Plus ("+")
Minus ("-")
At ("@")"

On its own, this functionality would not have a high impact, as the CSV quotas can only be exported by the same user. However, considering the vulnerability which allows the editing of quotas belonging to others, an attacker could add malicious formulas to another user, which would be executed when that user exports their quotas.

5.png (90,281 bytes)   

5.png (90,281 bytes)   

@DenisChenu Shall I take this?

You can.
I just copy/paste from another report.

I just copy/paste from another report.

You mean the details of the ticket?

Master PR: https://github.com/LimeSurvey/LimeSurvey/pull/3677
WIP.

Implemented the filter over the input as suggested on the ticket.
Still, not sure that's the best.
This could happen on a million other screens, can't sanitize all.
Also, at development time, you don't know if an input will be exported or not.

My call would be to create some kind of lib that escapes cell contents when exported.
Ex:

• CsvEncoder from symfony/serializer.
• EscapeFormula from league/csv.
  Or custom one with a function: EscapeCell

You mean the details of the ticket?

Yes , see https://bugs.limesurvey.org/view.php?id=19252#c78528

Comment on a different issue.

My opinion : we must allow it in DB, no reason to disallow it.

But we must encode when export

Strangely : we don't encode = on CsvExprt ? https://github.com/LimeSurvey/LimeSurvey/blob/8c332cc638306875f965ccd347ef5e5573f27ed0/application/helpers/admin/export/CsvWriter.php#L102

We have to add a ' if string start with = https://github.com/symfony/symfony/blob/1934b2ec33ffc44e456fbde9737c8d9c6173a629/src/Symfony/Component/Serializer/Encoder/CsvEncoder.php#L217

Or custom one with a function: EscapeCell

Maybe most simple here.

You say

My opinion : we must allow it in DB, no reason to disallow it.

But you said this before

To mitigate this vulnerability, it is recommended to validate the input entered by a user to ensure that no cell begins with any of the following characters:

I believe it is no harm to apply in input (optionally) and mandatory on export.
We will work on an escape function

But you said this before

No : i copy/paste https://bugs.limesurvey.org/view.php?id=19252#c78528

I believe it is no harm to apply in input (optionally) and mandatory on export.

If it's in model : it's not optionnal.
We just need in for CSV : the do it when doing a CSV export …

@tibor.pacalat: I think we should create a new story for reviewing all csv exports, right?

I think we should create a new story for reviewing all csv exports, right?

Yes : i think we have same issue on Export Response

I'll create a story in our JIRA regarding

| @tibor.pacalat: I think we should create a new story for reviewing all csv exports, right?

This particular issue has been resolved.

… arg , still not reported on my part …

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=36021

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=36022

Fixed in Release 6.4.5+240205