If you're generating a CSV file using the built-in csv module and incorporating user data, there's a potential security risk. An attacker might inject a formula into the CSV file, which, when imported into a spreadsheet application, could execute a malicious script, leading to data theft or even malware installation on the user's computer. To enhance security, consider using defusedcsv as a direct substitute for csv. defusedcsv maintains the same API but aims to thwart formula injection attempts, providing a safer way to create CSV files.
references
Apply with the Grit CLI
grit apply use_defusedcsv
without use-defusedcsv
BEFORE
# use-defusedcsv
import csv
with open("file", 'r') as fin:
reader = csv.reader(fin)
with open("file", 'w') as fout:
writer = csv.writer(fout, quoting=csv.QUOTE_ALL)AFTER
# use-defusedcsv
import defusedcsv as csv
with open("file", 'r') as fin:
reader = csv.reader(fin)
with open("file", 'w') as fout:
writer = csv.writer(fout, quoting=csv.QUOTE_ALL)with use-defusedcsv
PYTHON
# use-defusedcsv
import defusedcsv as csv
with open("file", 'w') as fout:
writer = csv.writer(fout)