Formula Injection in Django
How Formula Injection Manifests in Django
Formula Injection in Django applications occurs when user-supplied data is exported to spreadsheet formats without proper sanitization, allowing attackers to embed malicious formulas that execute when the file is opened in spreadsheet applications like Microsoft Excel or LibreOffice Calc.
Django's built-in export functionality and third-party libraries like django-import-export or tablib can inadvertently create formula injection vulnerabilities. The most common scenario involves exporting querysets to CSV or Excel formats where user input fields contain formula syntax like =, +, -, or @ characters.
Consider this vulnerable Django view that exports user data:
from django.http import HttpResponse
from .models import UserProfile
def export_users(request):
users = UserProfile.objects.all()
response = HttpResponse(content_type='text/csv')
response['Content-Disposition'] = 'attachment; filename="users.csv"'
writer = csv.writer(response)
writer.writerow(['Name', 'Email', 'Salary'])
for user in users:
writer.writerow([user.name, user.email, user.salary])
return response
If a user's name field contains =2+2, Excel will evaluate this as a formula when the CSV is opened, potentially leading to information disclosure through functions like INDIRECT, DDE, or EXEC.
Django REST Framework export endpoints are particularly vulnerable when using ModelViewSet with format_suffix_patterns and allowing .csv or .xlsx formats. An attacker could craft payloads that execute arbitrary commands on the victim's machine through Excel's formula engine.
The risk is amplified in Django applications that handle financial data, as formulas can access external resources via WEBSERVICE or MSXML2.XMLHTTP functions, potentially exfiltrating sensitive data from the victim's network.
Django-Specific Detection
Detecting formula injection in Django applications requires both static code analysis and dynamic testing of export functionality. middleBrick's API security scanner includes specialized checks for formula injection vulnerabilities that are particularly relevant to Django applications.
middleBrick scans Django export endpoints by submitting test payloads containing formula syntax and analyzing the generated spreadsheet files. The scanner looks for specific patterns like:
- Leading
=,+,-,@characters in exported cells - Excel-specific functions like
IMPORTXML,WEBSERVICE,DDE - Formula syntax that could lead to command execution
- CSV injection vectors in comma-separated export functionality
The scanner tests against Django's default export patterns, DRF format suffixes, and common third-party export libraries. It analyzes the actual file output to verify if malicious formulas survive the export process intact.
For manual detection in Django codebases, search for:
grep -r "export" . --include="*.py" | grep -E "(csv|xlsx|excel|download)"
grep -r "tablib" . --include="*.py"
grep -r "django-import-export" . --include="*.py"
Focus on views that handle data export, especially those using HttpResponse with text/csv or application/vnd.ms-excel content types. Check for proper escaping of user-supplied data before it's written to export files.
middleBrick's continuous monitoring feature (Pro plan) can automatically scan your Django export endpoints on a schedule, alerting you when new formula injection vulnerabilities are detected in your API's attack surface.
Django-Specific Remediation
Remediating formula injection in Django applications involves sanitizing user input before export and using safe export libraries that handle formula escaping automatically. Django's built-in mechanisms and third-party libraries offer several approaches.
The most straightforward remediation is prefixing potentially dangerous cells with a single quote (') to force Excel to treat the content as text:
import csv
from django.http import HttpResponse
def safe_export_users(request):
users = UserProfile.objects.all()
response = HttpResponse(content_type='text/csv')
response['Content-Disposition'] = 'attachment; filename="users.csv"'
writer = csv.writer(response)
writer.writerow(['Name', 'Email', 'Salary'])
for user in users:
# Sanitize fields that might contain formula syntax
name = f"'{user.name}" if user.name and user.name.startswith(('=', '+', '-', '@')) else user.name
email = f"'{user.email}" if user.email and user.email.startswith(('=', '+', '-', '@')) else user.email
writer.writerow([name, email, user.salary])
return response
For more robust protection, use the csv module's quoting parameter to ensure all fields are properly quoted:
writer = csv.writer(response, quoting=csv.QUOTE_ALL, escapechar='\')
middleBrick's scanning can verify that your remediation is effective by testing with malicious payloads and confirming they're properly escaped in the exported files.
For Excel exports using libraries like openpyxl or xlsxwriter, set cell data types explicitly:
from openpyxl import Workbook
def export_to_excel(request):
wb = Workbook()
ws = wb.active
ws.append(['Name', 'Email', 'Salary'])
for user in UserProfile.objects.all():
# Force text format for all string fields
ws.append([
f"'" + user.name if user.name and user.name.startswith(('=', '+', '-', '@')) else user.name,
f"'" + user.email if user.email and user.email.startswith(('=', '+', '-', '@')) else user.email,
user.salary
])
response = HttpResponse(content_type='application/vnd.openxmlformats-officedocument.spreadsheetml.sheet')
response['Content-Disposition'] = 'attachment; filename="users.xlsx"'
wb.save(response)
return response
The django-import-export library includes built-in formula protection when configured properly. Set export_quoting to csv.QUOTE_ALL in your resource class:
from import_export import resources, fields
import csv
class UserResource(resources.ModelResource):
class Meta:
model = UserProfile
export_quoting = csv.QUOTE_ALL
skip_unchanged = True
middleBrick's GitHub Action integration can automatically scan your Django export endpoints during CI/CD, failing builds if formula injection vulnerabilities are detected in your staging environment.