如何在Django应用程序中防止CSV注入

huangapple go评论73阅读模式
英文:

How to prevent csv injection in django application

问题

我有一个带有文件上传功能的Django应用程序。我正在使用Clamav来扫描文件以检查病毒。我还想在我的应用程序中防止CSV注入。我找到了这个与之相关的stackoverflow链接,但没有帮助。请建议如何在我的Django应用程序中使用ClamAV防止CSV注入。

英文:

I am having a Django application with file upload feature. I am using Clamav to scan the file for viruses. I want to prevent CSV injection in my application too. I found this stackoverflow link related to it, but is of no help. Please suggest how to prevent CSV injection in my Django application with ClamAV.

答案1

得分: 2

请看CSV注入的定义(此链接可在您的SO链接中找到)
https://www.owasp.org/index.php/CSV_Injection

简而言之:

> 当电子表格程序如Microsoft Excel或LibreOffice Calc用于打开CSV时,以'='开头的任何单元格将被软件解释为公式。恶意制作的公式可用于三个关键攻击:

您可以通过以下方式防止此攻击:

> 此攻击难以缓解,而且在许多漏洞赏金计划中明确禁止。要纠正它,请确保没有单元格以以下任何字符开头:
>
> 等于号(“=”)
> 加号(“+”)
> 减号(“-”)
> 圈a(“@”)

我不知道如何在ClamAV中执行此操作,因为我不使用它,但您可以编写一个小的Python函数来读取文件并确保没有单元格以上述任何字符开头。

英文:

Look at the definition of CSV Injection (this link can be found in your SO link)
https://www.owasp.org/index.php/CSV_Injection

in short:

> When a spreadsheet program such as Microsoft Excel or LibreOffice Calc
> is used to open a CSV, any cells starting with '=' will be interpreted
> by the software as a formula. Maliciously crafted formulas can be used
> for three key attacks:

You can prevent this attack by:

> This attack is difficult to mitigate, and explicitly disallowed from
> quite a few bug bounty programs. To remediate it, ensure that no cells
> begin with any of the following characters:
>
> Equals to ("=")
> Plus ("+")
> Minus ("-")
> At ("@")

I don't know how to do this with ClamAV as I don't use it,
but you could write a small python function reading the file and ensuring that no cell starts with any of above characters.

huangapple
  • 本文由 发表于 2020年1月3日 18:28:45
  • 转载请务必保留本文链接:https://go.coder-hub.com/59576940.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定