DataTables
Advanced interaction
features for your tables.
Editor
Comprehensive editing
library for DataTables.
Manual
Download
Show site navigation

Excel Command Injection

Excel Command Injection

mrpaulmcgeemrpaulmcgee Posts: 4Questions: 1Answers: 0
in Free community support

Hi,

Has anyone created a fix for this exploit in datatables. I am using buttons plugin and exporting to excel but its been flagged as vulnerable to excel command injection. They recommend starting all cells with a quote ( ' ) to force them to be interpreted literally.

I was going to use something like this:-

exportOptions: {
                        
                        format: {
                            body: function ( data, row, column, node ) {
                                
                                return data.concat("'", data)

                            }
                        }
                    }

Anyone any successful fixes for this issue?

Thanks

Replies

  • allanallan Posts: 63,180Questions: 1Answers: 10,411 Site admin

    Have you got a link to where that is recommended in the Open Spreadsheet specification, or wherever else this was recommended? I'd like to understand the issue a bit deeper here.

    Thanks,
    Allan

  • mrpaulmcgeemrpaulmcgee Posts: 4Questions: 1Answers: 0

    Hi Allan,

    I use buttons excel export in our User Admininstration area whereby anyone who can see the list of users can export the table. By adding a user with first name =cmd|' /C calc'!A0 there was a vulnerability found.

    The summary given to me was:-

    The application supports exporting a list of users as an Excel XLSX spreadsheet. When this is done, no attempt at sanitization occurs. Any cell in the spreadsheet that can start with an equals sign (=) can be used to execute arbitrary commands when the spreadsheet is opened (or exfiltrate data from other spreadsheets that are accessible to the victim).

    Remediation is recommended in the form of 'Start all cells with a single quote (') to force them to be interpreted literally by Excel.'

    I have made a change to my code like this:-

    exportOptions: {
                        format: {
                            body: function ( data, row, column, node ) {
                                // Strip tags and also leaves values as encoded chars
                                var stripped = column >= 7 && column <= 9 ? data.replace( /[$,.]/g, '' ) : data.replace(/(&nbsp;|<([^>]+)>)/ig, "");

                                return stripped.charAt(0) == '='  ? "'" + stripped : stripped;

                            }
                        }
                    }

    I am also stripping tags first as you can see. I use the buttons export in a number of areas and I dont really want to take it out as it works well for what we need. I just thought someone else must have come across this before and maybe had a better solution.

    Thanks

  • allanallan Posts: 63,180Questions: 1Answers: 10,411 Site admin

    I've just tried a really simple change to encapsulate all of the text in cells with quotes:

    text: "'" + text + "'",

    at this point, but the rendered output just shows the quoted strings (i.e. with the quotes) which is what I expected.

    I'm feeling there is something I'm missing here!

    Allan

This discussion has been closed.

DataTables

DataTables designed and created by SpryMedia Ltd.
© 2007-2023 MIT licensed. Privacy policy. Supporters.
SpryMedia Ltd is registered in Scotland, company no. SC456502.