Can a CSV contain malicious code?

Yes, there are some examples of malicious CSV files causing random "code" execution. People choose to open CSV files in MS Excel or Open Office or such software which have macro execution capabilities.

Some examples:

https://www.contextis.com//resources/blog/comma-separated-vulnerabilities/ https://hackerone.com/reports/72785

If your environment does not use popular applications such as MS Excel to open CSVs, the risk is significantly reduced. I would also look for the presence of external, potentially malicious links in the downloaded CSV that might be hosting drive-by downloads (hence you would want to avoid visiting these links).

Yes, it may contain arbitrary system commands that will be executed on the machine where you are opening the CSV file. Your spreadsheet software will render the CSV values as the injected commands and execute after giving you multiple warnings.

Example - Create a CSV file with the following 2 lines -

User name,Email,Designation

=2+5+cmd|' /C calc'!A0,[email protected],SSE

Save it and open using MS excel. Calculator will open in your Windows system.

For further reading -

• http://georgemauer.net/2017/10/07/csv-injection.html
• https://asecurityz.blogspot.in/2017/12/csv-injection-mitigations.html