oletools_rs 0.1.0

Rust port of oletools — analysis tools for Microsoft Office files (VBA macros, DDE, OLE objects, RTF exploits)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115

//! DDE detection in CSV files.
//!
//! Scans for DDE formulas that start with `=`, `+`, `-`, or `@`
//! and contain a pipe character followed by an exclamation mark,
//! which indicates a DDE command injection.

use std::sync::LazyLock;

use regex::Regex;

use crate::msodde::field_parser::DdeField;

/// Pattern for DDE formula injection in CSV cells.
/// Matches cells starting with =, +, -, or @ that contain `|...|!` pattern.
static RE_CSV_DDE: LazyLock<Regex> = LazyLock::new(|| {
    Regex::new(r#"(?m)^["']?[=+\-@].*\|.*!"#).unwrap()
});

/// Scan CSV text for DDE formula injection patterns.
pub fn process_csv(data: &[u8]) -> Vec<DdeField> {
    let text = String::from_utf8_lossy(data);
    let mut fields = Vec::new();

    for mat in RE_CSV_DDE.find_iter(&text) {
        let matched = mat.as_str().trim();

        // Extract the formula content
        let formula = matched.trim_start_matches(['"', '\'']);

        fields.push(DdeField {
            field_instruction: formula.to_string(),
            command: formula.to_string(),
            source: extract_dde_source(formula),
            quote_decoded: None,
        });
    }

    fields
}

/// Extract the DDE source application from a formula.
/// e.g., `=cmd|'/c calc'!A0` -> "cmd"
fn extract_dde_source(formula: &str) -> String {
    // Skip the leading =, +, -, @
    let stripped = formula.trim_start_matches(|c: char| "=+-@".contains(c));

    // Extract up to the pipe character
    if let Some(pipe_pos) = stripped.find('|') {
        stripped[..pipe_pos].trim().to_string()
    } else {
        String::new()
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_csv_dde_formula() {
        let csv = b"Name,Value\n=cmd|'/c calc'!A0,test\n";
        let fields = process_csv(csv);
        assert_eq!(fields.len(), 1);
        assert_eq!(fields[0].source, "cmd");
    }

    #[test]
    fn test_csv_dde_plus() {
        let csv = b"+cmd|'/c whoami'!A0\n";
        let fields = process_csv(csv);
        assert_eq!(fields.len(), 1);
        assert_eq!(fields[0].source, "cmd");
    }

    #[test]
    fn test_csv_dde_minus() {
        let csv = b"-cmd|'/c dir'!A0\n";
        let fields = process_csv(csv);
        assert_eq!(fields.len(), 1);
    }

    #[test]
    fn test_csv_dde_at() {
        let csv = b"@SUM(cmd|'/c calc'!A0)\n";
        let fields = process_csv(csv);
        assert_eq!(fields.len(), 1);
    }

    #[test]
    fn test_csv_no_dde() {
        let csv = b"Name,Value\nAlice,100\nBob,200\n";
        let fields = process_csv(csv);
        assert!(fields.is_empty());
    }

    #[test]
    fn test_csv_normal_formula() {
        let csv = b"=A1+B1\n=SUM(A1:A10)\n";
        let fields = process_csv(csv);
        assert!(fields.is_empty(), "Normal formulas without pipe should not match");
    }

    #[test]
    fn test_csv_empty() {
        let fields = process_csv(b"");
        assert!(fields.is_empty());
    }

    #[test]
    fn test_extract_dde_source() {
        assert_eq!(extract_dde_source("=cmd|'/c calc'!A0"), "cmd");
        assert_eq!(extract_dde_source("+MSEXCEL|'Sheet1'!A1"), "MSEXCEL");
        assert_eq!(extract_dde_source("=no_pipe"), "");
    }
}