Add method to validate a Excel CSV file - Implements #1

Author: drighetto

.idea/inspectionProfiles/Project_Default.xml

@@ -9,6 +9,11 @@
     <version>1.0.0-SNAPSHOT</version>
 
     <dependencies>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-csv</artifactId>
+            <version>1.11.0</version>
+        </dependency>
         <dependency>
             <groupId>commons-validator</groupId>
             <artifactId>commons-validator</artifactId>

pom.xml

@@ -1,5 +1,7 @@
 package eu.righettod;
 
+import org.apache.commons.csv.CSVFormat;
+import org.apache.commons.csv.CSVRecord;
 import org.apache.commons.validator.routines.InetAddressValidator;
 import org.apache.pdfbox.Loader;
 import org.apache.pdfbox.pdmodel.PDDocument;
@@ -29,10 +31,7 @@
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
-import java.io.ByteArrayInputStream;
-import java.io.File;
-import java.io.IOException;
-import java.io.StringReader;
+import java.io.*;
 import java.net.Inet6Address;
 import java.net.InetAddress;
 import java.net.MalformedURLException;
@@ -41,6 +40,7 @@
 import java.nio.file.Files;
 import java.security.MessageDigest;
 import java.util.*;
+import java.util.concurrent.atomic.AtomicInteger;
 import java.util.regex.Pattern;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipFile;
@@ -625,4 +625,48 @@ public static boolean isXMLOnlyUseAllowedXSDorDTD(String xmlFilePath, final List
 
         return isSafe;
     }
+
+    /**
+     * Apply a collection of validations on a EXCEL CSV file provided (file was expected to be opened in Microsoft EXCEL):<br>
+     * - Real CSV file.<br>
+     * - Do not contains any payload related to a CSV injections.<br><br>
+     * Ensure that, if Apache Commons CSV does not find any record then, the file will be considered as NOT safe (prevent potential bypasses).<br><br>
+     * <b>Note:</b> Record delimiter used is the <code>,</code> (comma) character. See the Apache Commons CSV reference provided for EXCEL.<br>
+     *
+     * @param csvFilePath Filename of the CSV file to check.
+     * @return True only if the file pass all validations.
+     * @see "https://commons.apache.org/proper/commons-csv/"
+     * @see "https://commons.apache.org/proper/commons-csv/apidocs/org/apache/commons/csv/CSVFormat.html#EXCEL"
+     * @see "https://www.we45.com/post/your-excel-sheets-are-not-safe-heres-how-to-beat-csv-injection"
+     * @see "https://www.whiteoaksecurity.com/blog/2020-4-23-csv-injection-whats-the-risk/"
+     * @see "https://book.hacktricks.xyz/pentesting-web/formula-csv-doc-latex-ghostscript-injection"
+     * @see "https://owasp.org/www-community/attacks/CSV_Injection"
+     * @see "https://payatu.com/blog/csv-injection-basic-to-exploit/"
+     * @see "https://cwe.mitre.org/data/definitions/1236.html"
+     */
+    public static boolean isExcelCSVSafe(String csvFilePath) {
+        boolean isSafe;
+        final AtomicInteger recordCount = new AtomicInteger();
+        final List<Character> payloadDetectionCharacters = List.of('=', '+', '@', '-', '\r', '\t');
+
+        try {
+            final List<String> payloadsIdentified = new ArrayList<>();
+            try (Reader in = new FileReader(csvFilePath)) {
+                Iterable<CSVRecord> records = CSVFormat.EXCEL.parse(in);
+                records.forEach(record -> {
+                    record.forEach(recordValue -> {
+                        if (recordValue != null && !recordValue.trim().isEmpty() && payloadDetectionCharacters.contains(recordValue.trim().charAt(0))) {
+                            payloadsIdentified.add(recordValue);
+                        }
+                        recordCount.getAndIncrement();
+                    });
+                });
+            }
+            isSafe = (payloadsIdentified.isEmpty() && recordCount.get() > 0);
+        } catch (Exception e) {
+            isSafe = false;
+        }
+
+        return isSafe;
+    }
 }

src/main/java/eu/righettod/SecurityUtils.java

@@ -1,6 +1,7 @@
 package eu.righettod;
 
 
+import org.apache.commons.lang3.StringUtils;
 import org.apache.pdfbox.Loader;
 import org.apache.pdfbox.pdmodel.PDDocument;
 import org.junit.jupiter.api.Test;
@@ -251,7 +252,7 @@ public void computeHashNoProneToAbuseOnParts() throws Exception {
     }
 
     @Test
-    public void isXMLOnlyUseAllowedXSDorDTD() throws Exception {
+    public void isXMLOnlyUseAllowedXSDorDTD() {
         final String msgErrorFalseNegative = "Reference to an invalid DTD/XSD must be detected!";
         final String msgErrorFalsePositive = "Reference to an invalid DTD/XSD must NOT be detected!";
         //Non allowed DTD
@@ -275,5 +276,30 @@ public void isXMLOnlyUseAllowedXSDorDTD() throws Exception {
         isSafe = SecurityUtils.isXMLOnlyUseAllowedXSDorDTD(testFile, List.of("https://company.com/test.xsd"));
         assertTrue(isSafe, msgErrorFalsePositive);
     }
+
+    @Test
+    public void isExcelCSVSafe() throws IOException {
+        String testFile;
+        boolean isSafe;
+        String caseIdentifier;
+
+        //Test unsafe CSV cases
+        int unsafeTestCaseCount = 5;
+        for (int caseId = 0; caseId < unsafeTestCaseCount; caseId++) {
+            caseIdentifier = StringUtils.leftPad(Integer.toString(caseId), 2, "0");
+            testFile = getTestFilePath(String.format("test-excel-csv-unsafe%s.csv", caseIdentifier));
+            isSafe = SecurityUtils.isExcelCSVSafe(testFile);
+            assertFalse(isSafe, String.format(TEMPLATE_MESSAGE_FALSE_NEGATIVE_FOR_FILE, StringUtils.leftPad(Integer.toString(caseId), 2, "0")));
+        }
+        //Test safe CSV cases
+        int safeTestCaseCount = 4;
+        for (int caseId = 0; caseId < safeTestCaseCount; caseId++) {
+            caseIdentifier = StringUtils.leftPad(Integer.toString(caseId), 2, "0");
+            testFile = getTestFilePath(String.format("test-excel-csv-safe%s.csv", caseIdentifier));
+            isSafe = SecurityUtils.isExcelCSVSafe(testFile);
+            assertTrue(isSafe, String.format(TEMPLATE_MESSAGE_FALSE_POSITIVE_FOR_FILE, testFile));
+        }
+
+    }
 }
 

src/test/java/eu/righettod/TestSecurityUtils.java

@@ -0,0 +1,2 @@
+"FIELD1","FIELD2"
+"Dom",70

src/test/resources/test-excel-csv-safe00.csv

@@ -0,0 +1 @@
+"Dom",70

src/test/resources/test-excel-csv-safe01.csv

@@ -0,0 +1 @@
+Dom,70

src/test/resources/test-excel-csv-safe02.csv

@@ -0,0 +1,2 @@
+FIELD1,FIELD2
+Dom,70

src/test/resources/test-excel-csv-safe03.csv

@@ -0,0 +1,2 @@
+"FIELD1","FIELD2"
+"Dom","=HYPERLINK(""https://evil.com"",""Click here"")"

src/test/resources/test-excel-csv-unsafe00.csv

@@ -0,0 +1 @@
+"Dom","=HYPERLINK(""https://evil.com"",""Click here"")"

src/test/resources/test-excel-csv-unsafe01.csv

@@ -0,0 +1,2 @@
+"FIELD1","FIELD2"
+"Dom","@SUM(1+9)*cmd|' /C calc'!A0"

src/test/resources/test-excel-csv-unsafe02.csv

@@ -0,0 +1 @@
+"Dom","@SUM(1+9)*cmd|' /C calc'!A0"

src/test/resources/test-excel-csv-unsafe03.csv

@@ -0,0 +1 @@
+,=cmd|\' /C calc\'!A0'