DEV Community

Cover image for Security: Released  npm package 📦  for  Protecting CSV Injection  🚀
Shahjada Talukdar for The Destro Dev Show

Posted on

7 1

Security: Released npm package 📦 for Protecting CSV Injection 🚀

We can not ignore Security on the Web. Security Vulnerability can impact your application and users which might eventually destroy your company!

As Web/Software Engineers, we should care about Security as much we care about our code.

There are different kinds of injection attacks available.

I was working with CSVs and then thought to use any available CSV injection protector package from npmjs. But I was surprised that I could not find what I needed.

So I thought to develop and release a package(CSV injection protector) for me and all of us.

First, let's see what is CSV injection-

CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files.

To learn more about CSV Injection, please have a look here 👉OWASP doc on CSV Injection

I am presenting a tiny and useful package for protecting your application from CSV Injections called csv-injection-protector 🎉

(And it's always hard to come up with a good name I know 😉)

Why use this pacakge?

If you have any Input Field and that data goes to the Database in the backend and you generate CSV files with it, then you SHOULD think about CSV injection.

Probably, the string went to your DB is injected. They can execute any operation in the cell and also your CSV file can be corrupted and you can not open that.

It can be sanitized so that string is okay for the CSV.

How to use

Run

npm i csv-injection-protector
Enter fullscreen mode Exit fullscreen mode

Then use in your code like below:

const riskyString = "=Risky string for CSV";
const sanitizedString = csvInjectionProtector(riskyString);
console.log(sanitizedString); // "Risky string for CSV"
Enter fullscreen mode Exit fullscreen mode

Voila 🚀

It's super simple!

I also showed a demo of this package. Please check out the YouTube video-

Please check 👉npmjs.com/package/csv-injection-protector

Use it and let me know if you find any issues. Also if you have any suggestions, PRs are welcome 🙌

Cheers!
👋

As I am trying to contribute contents on the Web, you can buy me a coffee for my hours spent on all of these ❤️😊🌸
Buy Me A Coffee

Photo by Sara Bakhshi on Unsplash

Image of Docusign

Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more

Top comments (1)

Collapse
 
lkaratun profile image
Lev Karatun • Edited

I checked out your package and it doesn't seem like you're checking for this case:

Keep in mind that it is not sufficient to make sure that the untrusted user input does not start with these characters. You also need to take care of the field separator (e.g., ‘,’, or ‘;’) and quotes (e.g., ', or "), as attackers could use this to start a new cell and then have the dangerous character in the middle of the user input, but at the beginning of a cell.

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more