defusedcsv
==========
.. image:: https://img.shields.io/pypi/v/defusedcsv.svg
:target: https://pypi.python.org/pypi/defusedcsv
.. image:: https://travis-ci.org/raphaelm/defusedcsv.svg?branch=master
:target: https://travis-ci.org/raphaelm/defusedcsv
.. image:: https://codecov.io/gh/raphaelm/defusedcsv/branch/master/graph/badge.svg
:target: https://codecov.io/gh/raphaelm/defusedcsv
If your Python application offers CSV export of user-generated data, that user-generated data might contain malicious
payloads that might trigger vulnerabilities in the spreadsheet software of the user that downloads the file (i.e. MS
Excel or LibreOffice).
This library tries to mitigate that by prepending all cells starting with ``@``, ``+``,
``-``, ``=``, ``|`` or ``%`` with an apostrophe ``'`` and additionally replacing all
``|`` characters in these cells with ``\|``. This will of course change the resulting
CSV files, but Excel will not display the ``'`` character to the user.
Tested with Python 3.8 to 3.10.
Usage
-----
This library acts as a drop-in replacement for the standard library's ``csv`` module. You can use it by just replacing
``import csv`` with ``from defusedcsv import csv`` in your code.
Useful Links
------------
* `CSV Injection Software Attack | OWASP Foundation <https://owasp.org/www-community/attacks/CSV_Injection>`_
* `Comma Separated Vulnerabilities | Context Information Security <https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/>`_
* `CSV Injection Mitigations & Dangers | ZeroSec - Adventures In Information Security <https://blog.zsec.uk/csv-dangers-mitigations/>`_
License
-------
The code in this repository is published under the terms of the Apache License.
See the LICENSE file for the complete license text.
This project is maintained by Raphael Michel <mail@raphaelmichel.de>. See the
AUTHORS file for a list of all the awesome folks who contributed to this project.
Raw data
{
"_id": null,
"home_page": "https://github.com/raphaelm/defusedcsv",
"name": "defusedcsv",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "csv injection defuse save",
"author": "Raphael Michel",
"author_email": "mail@raphaelmichel.de",
"download_url": "https://files.pythonhosted.org/packages/09/71/b315ee2dde73f37cc8245c5f31034e790ef72fa31b431f4bd534d9c0a19b/defusedcsv-2.0.0.tar.gz",
"platform": null,
"description": "defusedcsv\n==========\n\n.. image:: https://img.shields.io/pypi/v/defusedcsv.svg\n :target: https://pypi.python.org/pypi/defusedcsv\n\n.. image:: https://travis-ci.org/raphaelm/defusedcsv.svg?branch=master\n :target: https://travis-ci.org/raphaelm/defusedcsv\n\n.. image:: https://codecov.io/gh/raphaelm/defusedcsv/branch/master/graph/badge.svg\n :target: https://codecov.io/gh/raphaelm/defusedcsv\n\nIf your Python application offers CSV export of user-generated data, that user-generated data might contain malicious\npayloads that might trigger vulnerabilities in the spreadsheet software of the user that downloads the file (i.e. MS\nExcel or LibreOffice).\n\nThis library tries to mitigate that by prepending all cells starting with ``@``, ``+``,\n``-``, ``=``, ``|`` or ``%`` with an apostrophe ``'`` and additionally replacing all\n``|`` characters in these cells with ``\\|``. This will of course change the resulting\nCSV files, but Excel will not display the ``'`` character to the user.\n\nTested with Python 3.8 to 3.10.\n\nUsage\n-----\n\nThis library acts as a drop-in replacement for the standard library's ``csv`` module. You can use it by just replacing\n``import csv`` with ``from defusedcsv import csv`` in your code.\n\nUseful Links\n------------\n\n* `CSV Injection Software Attack | OWASP Foundation <https://owasp.org/www-community/attacks/CSV_Injection>`_\n* `Comma Separated Vulnerabilities | Context Information Security <https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/>`_\n* `CSV Injection Mitigations & Dangers | ZeroSec - Adventures In Information Security <https://blog.zsec.uk/csv-dangers-mitigations/>`_\n\nLicense\n-------\nThe code in this repository is published under the terms of the Apache License. \nSee the LICENSE file for the complete license text.\n\nThis project is maintained by Raphael Michel <mail@raphaelmichel.de>. See the\nAUTHORS file for a list of all the awesome folks who contributed to this project.\n\n\n",
"bugtrack_url": null,
"license": "Apache License 2.0",
"summary": "Drop-in replacement for Python's CSV library that tries to mitigate CSV injection attacks",
"version": "2.0.0",
"split_keywords": [
"csv",
"injection",
"defuse",
"save"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "2d75660d4242fa044f48d7155ad29aa9f2c91a69218cf2e061f0abc7896da7d7",
"md5": "732c4ecc827904667919310d293d8270",
"sha256": "a7bc3b1ac1ce4f8c6c1e8740466b1b5789b51ca18d918b0099313dc0cdf2cef4"
},
"downloads": -1,
"filename": "defusedcsv-2.0.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "732c4ecc827904667919310d293d8270",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 7779,
"upload_time": "2022-04-19T08:26:01",
"upload_time_iso_8601": "2022-04-19T08:26:01.484687Z",
"url": "https://files.pythonhosted.org/packages/2d/75/660d4242fa044f48d7155ad29aa9f2c91a69218cf2e061f0abc7896da7d7/defusedcsv-2.0.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "0971b315ee2dde73f37cc8245c5f31034e790ef72fa31b431f4bd534d9c0a19b",
"md5": "bae0807cee5a14b74b7c36f4851f0c3e",
"sha256": "7612228e54ef1690a19f7aef526709010608e987f9998c89588ef05d9ecfe4d6"
},
"downloads": -1,
"filename": "defusedcsv-2.0.0.tar.gz",
"has_sig": false,
"md5_digest": "bae0807cee5a14b74b7c36f4851f0c3e",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 7496,
"upload_time": "2022-04-19T08:26:03",
"upload_time_iso_8601": "2022-04-19T08:26:03.309239Z",
"url": "https://files.pythonhosted.org/packages/09/71/b315ee2dde73f37cc8245c5f31034e790ef72fa31b431f4bd534d9c0a19b/defusedcsv-2.0.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2022-04-19 08:26:03",
"github": true,
"gitlab": false,
"bitbucket": false,
"github_user": "raphaelm",
"github_project": "defusedcsv",
"travis_ci": false,
"coveralls": true,
"github_actions": true,
"lcname": "defusedcsv"
}