sdk/python/Deserialization/PyCsv
Deserialization

PyCsv

The csv module. csv.writer + writerow on user-controlled cells produces CSV-formula injection when the receiver opens the CSV in Excel (cells starting with =, +, -, @ are interpreted as formulas). No stdlib sanitizer — prefix with a tab or apostrophe.

2 sources
Taint flow2 sources 0 sinks
Sources — untrusted input
.reader()
.DictReader()

Sources

.reader()Source
#
Signature
csv.reader(csvfile, dialect='excel', **fmtparams) -> _reader

Creates a CSV reader. Rows are sources when the file is user-supplied.

tracks:return
.DictReader()Source
#
Signature
csv.DictReader(f, fieldnames=None, ...) -> DictReader

CSV reader that maps rows to dicts. Source on untrusted CSV files.

tracks:return

Other Methods

.writer()Neutral
#
Signature
csv.writer(csvfile, dialect='excel', **fmtparams) -> _writer

Creates a CSV writer. writerow() with user-controlled cells is a formula-injection sink.

.DictWriter()Neutral
#
Signature
csv.DictWriter(f, fieldnames, ...) -> DictWriter

Dict-based CSV writer. Formula-injection sink on user cells.

Fully-Qualified Names

FQNField
csvfqns[0]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py
from codepathfinder.go_rule import PyCsv
Next →PyDbm