Comment 0 for bug 1842749

Many spreadsheet programs, such as Excel, LibreOffice, and OpenOffice, will parse and treat
cells with special metacharacters as formulas. These programs can open comma-separated
values (CSV) files and treat them as spreadsheets. If an attacker can influence the contents
of CSV file, then that can allow the attacker to inject code that will execute when someone
opens the CSV file through a spreadsheet program.
In the Compute Overview panel in Horizon, there is a section
titled “Usage Summary.” This section has a feature for downloading a CSV document of that
usage summary. The contents of the CSV document include the name of the instances and
other points of data such as its current state or how many resources it consumes.
An attacker could create an instance with a malicious name beginning with an equals sign
(=) or at sign (‘@’). These are both recognized in Excel as metacharacters for a formula. The
attacker can create an instance name that includes a payload that will execute code such as:

=cmd|' /C calc'!A0

This payload opens the calculator program when the resulting CSV is opened on a Windows
machine with Microsoft Excel. An attacker could easily substitute this payload with another
that runs any arbitrary shell commands.

Reproduction Steps:

1. Access an OpenStack project, navigate to the Instances section.
2. Create an instance with the following name:
=cmd|' /C calc'!A0
3. Navigate to the Overview section.
4. Refresh the page until the new instance shows up in the Usage list.
5. Click the button titled “DOWNLOAD CSV SUMMARY.”
6. Observe the generated CSV file.