mcp-server-semgrep/semgrep-rules/python/lang/security/use-defusedcsv.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: use-defusedcsv
  patterns:
  - pattern: csv.writer(...)
  - pattern-not: defusedcsv.writer(...)
  message: >-
    Detected the generation of a CSV file using the built-in `csv` module.
    If user data is used to generate the data in this file, it is possible that
    an attacker could inject a formula when the CSV is imported into a spreadsheet
    application that runs an attacker script, which could steal data from the importing
    user or, at worst, install malware on the user's computer. `defusedcsv` is a
    drop-in replacement with the same API that will attempt to mitigate formula
    injection attempts. You can use `defusedcsv` instead of `csv` to safely generate CSVs.
  metadata:
    cwe:
    - 'CWE-1236: Improper Neutralization of Formula Elements in a CSV File'
    owasp:
    - A01:2017 - Injection
    - A03:2021 - Injection
    references:
    - https://github.com/raphaelm/defusedcsv
    - https://owasp.org/www-community/attacks/CSV_Injection
    - https://web.archive.org/web/20220516052229/https://www.contextis.com/us/blog/comma-separated-vulnerabilities
    category: security
    technology:
    - python
    confidence: LOW
    subcategory:
    - audit
    likelihood: LOW
    impact: LOW
  fix-regex:
    regex: csv
    replacement: defusedcsv
  languages: [python]
  severity: INFO