Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: add excel macro filter for csv output #1634

Merged
merged 1 commit into from
Apr 19, 2022
Merged

fix: add excel macro filter for csv output #1634

merged 1 commit into from
Apr 19, 2022

Conversation

terriko
Copy link
Contributor

@terriko terriko commented Apr 12, 2022

I've added some basic excel macro prevention to the csv output. That means trimming leading special characters (+, -, =, @) used by excel for formulae.

Honestly, it's a bit unlikely that anyone would manage to put an excel macro into the NVD data, but it is possible that folk might share triage with intentional or unintentional comments that parse as macros. Either way, there's no reason for us to allow these characters in output so we might as well add the filter for additional safety.

@codecov-commenter
Copy link

Codecov Report

Merging #1634 (b14d361) into main (9e32cd7) will decrease coverage by 0.04%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main    #1634      +/-   ##
==========================================
- Coverage   78.49%   78.44%   -0.05%     
==========================================
  Files         291      291              
  Lines        5975     5986      +11     
  Branches      980      983       +3     
==========================================
+ Hits         4690     4696       +6     
- Misses       1072     1076       +4     
- Partials      213      214       +1
Flag Coverage Δ
longtests 78.44% <100.00%> (-0.05%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
cve_bin_tool/output_engine/__init__.py 55.12% <100.00%> (+0.66%) ⬆️
test/test_output_engine.py 94.03% <100.00%> (+0.33%) ⬆️
cve_bin_tool/nvd_api.py 75.00% <0.00%> (-5.18%) ⬇️
cve_bin_tool/cli.py 70.43% <0.00%> (+0.43%) ⬆️

📣 Codecov can now indicate which changes are the most critical in Pull Requests. Learn more

nedsouza
nedsouza approved these changes Apr 19, 2022
View reviewed changes
cve_bin_tool/output_engine/__init__.py
# Trim any leading -, =, + or @ to avoid excel macros
for cve_entry in formatted_output:
for key, value in cve_entry.items():
cve_entry[key] = value.strip("-=+@")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why only these special characters ?

@terriko
Copy link
Contributor Author

terriko commented Apr 19, 2022

I answered the question out of band but in case anyone else was wondering: those special characters are used in Excel to designate formulae, functions and macros. I got the list out of some internal expert guidance so I'm assuming it to be the complete list of interest most commonly used in excel macro exploits.

@terriko terriko merged commit 1231185 into intel:main Apr 19, 2022
@terriko terriko mentioned this pull request Apr 27, 2022
Closed
anthonyharrison pushed a commit to anthonyharrison/cve-bin-tool that referenced this pull request May 2, 2022
@terriko @anthonyharrison
fix: add excel macro filter for csv output (intel#1634)
001aad6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nedsouza nedsouza nedsouza approved these changes

@pdxjohnny pdxjohnny Awaiting requested review from pdxjohnny

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@terriko @codecov-commenter @nedsouza