Open Stack

Reviewed:  https://review.opendev.org/679161
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=70629916fe32df61018fd122711e6b036b53c811
Submitter: Zuul
Branch:    master

commit 70629916fe32df61018fd122711e6b036b53c811
Author: Adam Harwell <flux.adam at gmail.com>
Date:   Wed Aug 28 16:59:06 2019 -0700

    Use quoting for CSV Writing
    
    An attacker could create an instance with a malicious name beginning
    with an equals sign (=) or at sign (‘@’).
    These are both recognized in Excel as metacharacters for a formula. The
    attacker can create an instance name that includes a payload that will
    execute code such as:
    =cmd|' /C calc'!A0
    This payload opens the calculator program when the resulting CSV is
    opened on a Windows machine with Microsoft Excel. An attacker could
    easily substitute this payload with another that runs any arbitrary
    shell commands.
    
    Quote the CSV output so this is no longer a possibility.
    
    Closes-Bug: #1842749
    Change-Id: I937fa2a14bb483d87f057b3e8be219ecdc9363eb


** Changed in: horizon
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1842749

Title:
  CSV Injection Possible in Compute Usage History

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Many spreadsheet programs, such as Excel, LibreOffice, and OpenOffice, will parse and treat cells with special metacharacters as formulas. These programs can open comma-separated values (CSV) files and treat them as spreadsheets. If an attacker can influence the contents
  of CSV file, then that can allow the attacker to inject code that will execute when someone opens the CSV file through a spreadsheet program.
  In the Compute Overview panel in Horizon, there is a section titled “Usage Summary.” This section has a feature for downloading a CSV document of that usage summary. The contents of the CSV document include the name of the instances and other points of data such as its current state or how many resources it consumes.
  An attacker could create an instance with a malicious name beginning with an equals sign (=) or at sign (‘@’). These are both recognized in Excel as metacharacters for a formula. The attacker can create an instance name that includes a payload that will execute code such as:

  =cmd|' /C calc'!A0

  This payload opens the calculator program when the resulting CSV is
  opened on a Windows machine with Microsoft Excel. An attacker could
  easily substitute this payload with another that runs any arbitrary
  shell commands.

  Reproduction Steps:

  1. Access an OpenStack project, navigate to the Instances section.
  2. Create an instance with the following name:
  =cmd|' /C calc'!A0
  3. Navigate to the Overview section.
  4. Refresh the page until the new instance shows up in the Usage list.
  5. Click the button titled “DOWNLOAD CSV SUMMARY.”
  6. Observe the generated CSV file.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1842749/+subscriptions