csv.writer Audit (Formula Injection Risk)

LOW

csv.writer() detected. Audit CSV output for formula injection (CSV injection) if data is exported to spreadsheet applications.

Rule Information

Language

Python

Interactive Playground

Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.

pathfinder scan --ruleset python/PYTHON-LANG-SEC-094 --project .

rule.py

About This Rule

Understanding the vulnerability and how it is detected

CSV formula injection (also known as CSV injection or formula injection) occurs when user-supplied data containing spreadsheet formula characters (=, +, -, @, tab, newline) is exported to CSV format and subsequently opened in a spreadsheet application such as Microsoft Excel or Google Sheets.

Spreadsheet applications interpret cells starting with =, +, -, or @ as formulas and execute them. An attacker who can inject data starting with =HYPERLINK("http://evil.com/", "Click me") or =cmd|'/C calc.exe'!A0 (on Windows with DDE enabled) can cause the spreadsheet to make outbound network requests, execute system commands, or display deceptive content when the CSV is opened.

Python's csv.writer() does not protect against formula injection. Use defusedcsv or sanitize field values by prepending a single quote or tab to fields starting with formula characters.

Security Implications

Potential attack scenarios if this vulnerability is exploited

Remote Code Execution via DDE in Excel

Microsoft Excel supports Dynamic Data Exchange (DDE) which allows cells to execute system commands. Formula injection payloads like =cmd|'/C calc.exe'!A0 can execute arbitrary commands on Windows systems with DDE enabled (disabled by default in recent Excel versions but still a risk in legacy environments).

Server-Side Request Forgery via Hyperlinks

=HYPERLINK() formula injection can embed clickable links in spreadsheet cells that redirect users to attacker-controlled URLs when clicked, enabling phishing attacks or tracking of user behavior.

Data Exfiltration via Spreadsheet Formulas

Formulas that reference other cells or perform lookups can exfiltrate data visible in the spreadsheet by encoding it in URL parameters of outbound hyperlink requests, potentially exposing sensitive information to attackers.

Deceptive Content Injection

Formula injection can display deceptive values in spreadsheet cells that differ from the actual CSV data, potentially misleading users about financial figures, status codes, or other important data when they open the exported file.

How to Fix

Recommended remediation steps

1Sanitize all user-controlled CSV field values by prepending a tab character or single quote to values starting with =, +, -, or @.
2Use the defusedcsv library as a drop-in replacement for csv.writer() that automatically handles formula injection protection.
3Apply csv.QUOTE_ALL quoting mode to ensure all fields are quoted, which prevents newline injection in CSV fields.
4Include a Content-Disposition: attachment header and Content-Type: text/csv header when serving CSV files to prevent browsers from rendering them.
5Educate users about the risks of opening CSV files from untrusted sources in spreadsheet applications.

Detection Scope

How Code Pathfinder analyzes your code for this vulnerability

This rule detects calls to csv.writer() and csv.DictWriter() in Python source code. All call sites are flagged for review to ensure formula injection protection is applied to user-controlled field values in the output. This is a LOW severity audit rule since not all CSV usage involves data that reaches spreadsheet applications.

Compliance & Standards

Industry frameworks and regulations that require detection of this vulnerability

OWASP Top 10

A03:2021 - Injection (includes formula injection)

CWE-1236

Improper Neutralization of Formula Elements in a CSV File

NIST SP 800-53

SI-10: Information Input Validation

PCI DSS v4.0

Requirement 6.2.4 - Protect against injection attacks

References

External resources and documentation

CWE-1236: Improper Neutralization of Formula Elements in a CSV File OWASP: Testing for CSV Injection Python docs: csv module defusedcsv library OWASP Top 10 A03:2021 Injection

Similar Rules

Explore related security rules for Python

MEDIUM

Insecure XML Parsing (XXE Vulnerability)

xml.etree.ElementTree is vulnerable to XML External Entity (XXE) attacks. Use defusedxml for safe XML parsing.

MEDIUM

Insecure xml.dom.minidom Usage (XXE)

xml.dom.minidom is vulnerable to XML External Entity (XXE) attacks. Use defusedxml.minidom for safe XML parsing.

Frequently Asked Questions

Common questions about csv.writer Audit (Formula Injection Risk)

CSV injection severity depends on the use case. If the CSV is exported and opened by internal users in a controlled enterprise environment with modern Excel (DDE disabled), the risk is low. If the CSV is downloaded by external users or contains data from untrusted third parties, the risk of phishing via hyperlink injection and potential code execution in older Excel versions is significant.

CSV quoting with double-quotes prevents newline injection but does not prevent formula injection. A quoted cell like "=cmd..." is still interpreted as a formula by Excel and Google Sheets since they strip quotes before interpreting the cell content. Sanitization of formula-starting characters is required.

Prepend a tab character (\t) or single quote (') to any field starting with =, +, -, or @. The tab approach is recommended over single quote because single quotes are sometimes visible to users in some spreadsheet applications. The defusedcsv library handles this automatically and is the simplest approach.

No. Formula injection is only a risk when CSV files are opened by spreadsheet applications that evaluate formulas. If the CSV is only ever read by Python code (csv.reader()) or by other programmatic parsers, there is no formula injection risk. Suppress this finding if the CSV is never exposed to spreadsheet applications.

XLSX exports using libraries like openpyxl or xlsxwriter set cell values directly and typically do not interpret formula prefixes unless the value is explicitly set as a formula type. Review the library's documentation for how cell values starting with = are handled. Explicit formula prevention is still recommended.

Google Sheets API imports values via Sheets API's valueInputOption parameter. Using RAW input option (valueInputOption="RAW") imports values as literal text without formula interpretation. Avoid USER_ENTERED for untrusted data. For CSV file imports, apply the same sanitization as for Excel exports.

New feature

Get these findings posted directly on your GitHub pull requests

The csv.writer Audit (Formula Injection Risk) rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.

See how it works

Back to Python Core All Languages →