Security: Released npm package 📦 for Protecting CSV Injection 🚀

We can not ignore Security on the Web. Security Vulnerability can impact your application and users which might eventually destroy your company!

As Web/Software Engineers, we should care about Security as much we care about our code.

There are different kinds of injection attacks available.

I was working with CSVs and then thought to use any available CSV injection protector package from npmjs. But I was surprised that I could not find what I needed.

So I thought to develop and release a package(CSV injection protector) for me and all of us.

First, let's see what is CSV injection-

CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files.

To learn more about CSV Injection, please have a look here 👉OWASP doc on CSV Injection

I am presenting a tiny and useful package for protecting your application from CSV Injections called csv-injection-protector 🎉

(And it's always hard to come up with a good name I know 😉)

Why use this pacakge?

If you have any Input Field and that data goes to the Database in the backend and you generate CSV files with it, then you SHOULD think about CSV injection.

Probably, the string went to your DB is injected. They can execute any operation in the cell and also your CSV file can be corrupted and you can not open that.

It can be sanitized so that string is okay for the CSV.

How to use

Run

npm i csv-injection-protector

Then use in your code like below:

const riskyString = "=Risky string for CSV";
const sanitizedString = csvInjectionProtector(riskyString);
console.log(sanitizedString); // "Risky string for CSV"

Voila 🚀

It's super simple!

I also showed a demo of this package. Please check out the YouTube video-

Please check 👉npmjs.com/package/csv-injection-protector

Use it and let me know if you find any issues. Also if you have any suggestions, PRs are welcome 🙌

Cheers!
👋

As I am trying to contribute contents on the Web, you can buy me a coffee for my hours spent on all of these ❤️😊🌸

Photo by Sara Bakhshi on Unsplash

Comments

[Lev Karatun]

I checked out your package and it doesn't seem like you're checking for this case:

Keep in mind that it is not sufficient to make sure that the untrusted user input does not start with these characters. You also need to take care of the field separator (e.g., ‘,’, or ‘;’) and quotes (e.g., ', or "), as attackers could use this to start a new cell and then have the dangerous character in the middle of the user input, but at the beginning of a cell.