Formula Injection in Buffalo

Formula Injection in Buffalo applications occurs when user-controlled data is included in Excel or CSV exports without proper sanitization. Buffalo developers often use the github.com/xuri/excelize library to generate spreadsheets programmatically, and when cell values contain formulas starting with '=', '+', '-', or '@', Excel will execute them upon opening.

A common Buffalo pattern involves exporting database records to Excel for reporting. Consider this typical Buffalo controller code:

func UsersExport(c buffalo.Context) error {
    users := []models.User{}
    if err := models.DB.All(&users); err != nil {
        return err
    }

    f := excelize.NewFile()
    index := f.NewSheet("Users")
    f.SetActiveSheet(index)

    for i, user := range users {
        f.SetCellValue("Users", fmt.Sprintf("A%d", i+2), user.Name)
        f.SetCellValue("Users", fmt.Sprintf("B%d", i+2), user.Email)
        f.SetCellValue("Users", fmt.Sprintf("C%d", i+2), user.Salary) // Vulnerable!
    }

    // ... write file to response
}

The vulnerability appears when user-controlled fields like user.Salary contain malicious formulas. An attacker could set their salary to =ISNUMBER(SEARCH("admin",A2)) or =CMD|'/C calc'!A0 (Excel 4.0 macro). When the spreadsheet is opened, these formulas execute, potentially exfiltrating data from the victim's machine or executing arbitrary commands.

Buffalo's POP models make this particularly dangerous because they directly map database fields to struct fields without filtering. An attacker with write access to any exportable field can inject formulas that appear legitimate in the database but become malicious in exported spreadsheets.

Detecting Formula Injection in Buffalo applications requires examining both the export code and the data flow. Start by searching your Buffalo controllers for Excel/CSV export patterns using excelize or similar libraries.

Static analysis should look for:

grep -r "excelize\.NewFile" actions/ || grep -r "," actions/ || grep -r ".*Export.*" actions/

Dynamic testing involves creating test records with formula payloads. Using Buffalo's POP models, insert a test user:

user := models.User{
    Name:  "Test",
    Email: "test@example.com",
    Salary: "=1+1", // Formula injection test
}
if err := models.DB.Create(&user); err != nil {
    return err
}

Run your export endpoint and examine the generated spreadsheet. If cell C2 contains the formula =1+1 instead of the string "=1+1", you have a formula injection vulnerability.

For comprehensive scanning, middleBrick's API security scanner can detect formula injection risks by analyzing your export endpoints. It identifies:

• Endpoints that generate Excel/CSV files
• User-controlled data being written to spreadsheet cells
• Missing input sanitization on exportable fields
• Potential data exfiltration vectors through formula execution
• Excel 4.0 macro injection points

middleBrick's scanner tests these endpoints with formula payloads and verifies whether they're properly escaped, providing a security risk score and specific remediation guidance for your Buffalo application.

Remediating Formula Injection in Buffalo requires sanitizing data before it's written to Excel files. The most effective approach is prefixing formula-like strings with a single quote (') to force Excel to treat them as text.

Here's a Buffalo-specific sanitization function:

func sanitizeForExcel(value interface{}) interface{} {
    switch v := value.(type) {
    case string:
        // Check if string starts with formula characters
        if len(v) > 0 {
            firstChar := v[0]
            if firstChar == '=' || firstChar == '+' || firstChar == '-' || firstChar == '@' {
                // Prefix with single quote to escape formula
                return "'" + v
            }
        }
        return v
    case float64, int, bool:
        return v
    default:
        return fmt.Sprintf("%v", v)
    }
}

// Updated export function
func UsersExport(c buffalo.Context) error {
    users := []models.User{}
    if err := models.DB.All(&users); err != nil {
        return err
    }

    f := excelize.NewFile()
    index := f.NewSheet("Users")
    f.SetActiveSheet(index)

    for i, user := range users {
        f.SetCellValue("Users", fmt.Sprintf("A%d", i+2), sanitizeForExcel(user.Name))
        f.SetCellValue("Users", fmt.Sprintf("B%d", i+2), sanitizeForExcel(user.Email))
        f.SetCellValue("Users", fmt.Sprintf("C%d", i+2), sanitizeForExcel(user.Salary))
    }

    // ... write file to response
}

For a more comprehensive solution, create a Buffalo Pop-Sugar that automatically sanitizes exported data:

type SanitizedUser struct {
    models.User
}

func (u *SanitizedUser) BeforeSave(tx *pop.Connection) error {
    // Sanitize before export
    return nil
}

func (u *SanitizedUser) SanitizeForExport() models.User {
    u.Name = sanitizeForExcel(u.Name).(string)
    u.Email = sanitizeForExcel(u.Email).(string)
    u.Salary = sanitizeForExcel(u.Salary).(string)
    return u.User
}

// Usage in controller
func UsersExport(c buffalo.Context) error {
    users := []models.User{}
    if err := models.DB.All(&users); err != nil {
        return err
    }

    f := excelize.NewFile()
    index := f.NewSheet("Users")
    f.SetActiveSheet(index)

    for i, user := range users {
        sanitized := SanitizedUser{User: user}.SanitizeForExport()
        f.SetCellValue("Users", fmt.Sprintf("A%d", i+2), sanitized.Name)
        f.SetCellValue("Users", fmt.Sprintf("B%d", i+2), sanitized.Email)
        f.SetCellValue("Users", fmt.Sprintf("C%d", i+2), sanitized.Salary)
    }

    // ... write file to response
}

This approach ensures all exported data is sanitized consistently across your Buffalo application. For CSV exports, use the same sanitization function before writing values to the CSV writer.