CSV injection risk assessment

afriedrich · April 28, 2022, 8:13am

Hello,

a common risk with sheets is CSV injection, targeting the user when he downloads an excel file (e.g. =cmd|’ /C calc’!A0). That is because Excel can evaluate formulas.

Aspose can also evaluate formulas (cell.DisplayStringValue is the result of evaluation as per documentation). When a CSV file is read in by Aspose, what measures are taken that a malicious CSV file is not evaluated to attack the server itself (not the user)? Does Aspose even evaluate cmd or bash commands at all, or just Excel functions, or a subset thereof?

Thank you very much,

Andreas

amjad.sahi · April 28, 2022, 9:58am

@afriedrich,

Please note, Aspose.Cells does not evaluate or calculate formulas which involve external reference to programs (calls), external files or execute scripts in the formulas, so the formula “=cmd|’ /C calc’!A0” won’t be calculated at all. Also, similar critical formulas won’t be calculated as well.

Hope, this answers your doubts.

afriedrich · April 28, 2022, 10:35am

@Amjad_Sahi Excellent, thank you very much!

amjad.sahi · April 28, 2022, 10:49am

@afriedrich,

You are welcome.