Summary:
SheetJS package in npm ecosystem does not have any defense against Formula Injection.
Details:
Sheetjs package xlsx in npm ecosystem, allows parsing and editing various spreadsheet formats. As it is JS driven, it gives ability to render tables in the browser and allows modification of the tables on the fly. It also allows exporting this data in various spreadsheet formats e.g. xlsx, xlsb, csv etc.
Formula Injection happens, when an application uses untrusted user input inside a spreadsheet format file and when this file is opened with a spreadsheet program such as Microsoft Excel.
This vulnerability exists because of the way Spreadsheet softwares handle formula characters (such as =, @, +, -). However, depending on the use-cases, applications can perform additional checks such data validation or escaping of formula characters by passing a single quote (‘) before the formula character, as described here.
Steps to reproduce:
- Click on one of the demos provided by sheetjs module e.g.
http://sheetjs.com/demos/modify.html
http://sheetjs.com/demos/table.html - Edit any cell in the table and update with the below value
=cmd|’ /C calc’!A1 - Export it into any spreadsheet format such as csv, xlsx, xlsb etc and open this file with Microsoft Excel
- Excel’s latest versions show a warning. Click ok.
- When this Formula executes, it will pop a calculator up on your Windows machine.
- This can further be extended in exfiltrating data OOB as described here.
Timeline:
3/12/2019 – Reported to npm security team via a bug bounty platform, as well as sent an email directly to securityATnpm.com.
3/30/2019 – On the bounty platform, Package maintainer responded that this was excel’s behavior and not a vulnerability in the package itself. They also shared that this was reported to them via Github in January.
3/30/2019 – Report was closed on the bug bounty platform.
4/18/2019 – On the email side, one Security engineer from npm team acknowledged receiving the report and said he would be circling back.
6/27/2019 – Security Engineer from npm team reached out and shared that there was an outage hence there was no response from them. He asked for more details, which I provided.
7/02/2019 – Security Engineer from npm team said that he was able to reproduce the issue and also drafted an advisory. He said that advisory would be released once the patch is applied.
7/03/2019 – Security Engineer from npm team wrote back that the package maintainer said that this was an intended functionality and meant to behave like excel does. He also referenced that the npm working group had dismissed this vulnerability report through the bug bounty platform.
7/03/2019 – I requested for a public disclosure which was approved.
7/19/2019 – I shared a draft write-up with the npm team.
7/22/2019 – Publishing this blog post.
I’m writing this post for the awareness of SheetJS users and consumers. If you are using this package, your users may not be protected against formula injection, by default. If you’re using it in your development projects, you may have to implement your own work-around, given on your use-case. Also, as a user, don’t ignore the excel warnings and review the untrusted formula before letting it execute.
References:
- http://georgemauer.net/2017/10/07/csv-injection.html
- https://www.contextis.co.uk/resources/blog/comma-separated-vulnerabilities/
- https://pentestmag.com/formula-injection/
- https://www.we45.com/blog/2017/02/14/csv-injection-theres-devil-in-the-detail
- https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CSV%20Injection
Pankaj Upadhyay 