[#13776] - Unable to prevent CSV injection attack prior to CSV export

Category:
Bug report
Priority:
Urgent
Status:
New
Project: Severity:
Critical
Resolution:
Open
Component: Reproducibility:
Always
Assigned to:
0

Using latest 6.17.0 Jasper Reports library, it's possible to open a CSV file exported by the JR API with an active formula.

See example here: https://community.jaspersoft.com/questions/1186891/preventing-csv-injection

See proper design/solution by SAP: https://help.sap.com/viewer/2e167338c1b24da9b2a94e68efd79c42/4.2.6/en-US...

Ideally, for CSV exported files, after query execution in net.sf.jasperreports.engine.query.JRJdbcQueryExecuter.createDatasource(), the ResultSet object can be iterated over, scrubbed for values with regex: “^[=+-@],|,[=+-@]“ and prepend a space in front of these values to deactivate the formulas once the CSV file is opened in Excel.

Note with the following code, all CSV values are enclosed (pre-pended and post-pended) with a supplied character.

JRCsvExporter csvExporter = new JRCsvExporter(this.ctx);
csvExporter.setExporterInput(new SimpleExporterInput(ph.getJasperPrint()));
csvExporter.setExporterOutput(new SimpleWriterExporterOutput(os));

SimpleCsvExporterConfiguration configuration = new SimpleCsvExporterConfiguration();
configuration.setFieldEnclosure("`");
configuration.setForceFieldEnclosure(true);
csvExporter.setConfiguration(configuration);

csvExporter.exportReport();

In either case (default double quote enclosure or back tick), the expected behavior is not achieved. And in any event, only the formula type values need to be escaped, not all the values in the CSV file.

Note that this problem does not reproduce for xlsx output.

References:

https://community.jaspersoft.com/system/files/restricted-docs/jasperrepo...

NOTE: there is no reference to "csv injection" or "formula injection" in the above official security guide.

v6.17.0
JasperReports
asookazian@gmail.com's picture
Joined: Apr 19 2010 - 1:58pm
Last seen: 1 month 6 days ago
Feedback
randomness