Home Explore Help
Register Sign In
oscarleiva
/
energylink
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Security: Prevent csv formula injection attack (#17363)

* mitigate https://www.owasp.org/index.php/CSV_Injection

- prepend csv cell values that begin with -, +, = or @ with '
- trim trailing whitespace from all csv values

* test for csv formula injection mitigation
Dan Cech 6 years ago
parent
a3092dc57b
commit
5e7537878e
2 changed files with 8 additions and 2 deletions
Split View Show Diff Stats
  1. 3 1
      public/app/core/specs/file_export.test.ts
  2. 5 1
      public/app/core/utils/file_export.ts

+ 3 - 1
public/app/core/specs/file_export.test.ts
View File 

@@ -92,6 +92,7 @@ describe('file_export', () => {
 
           [0x123, 'some string with \n in the middle', 10.01, false],
 
           [0b1011, 'some string with ; in the middle', -12.34, true],
 
           [123, 'some string with ;; in the middle', -12.34, true],
 
+          [1234, '=a bogus formula  ', '-and another', '+another', '@ref'],
 
         ],
 
       };
 
 
@@ -108,7 +109,8 @@ describe('file_export', () => {
 
         '501;"some string with "" at the end""";0.01;false\r\n' +
 
         '291;"some string with \n in the middle";10.01;false\r\n' +
 
         '11;"some string with ; in the middle";-12.34;true\r\n' +
 
-        '123;"some string with ;; in the middle";-12.34;true';
 
+        '123;"some string with ;; in the middle";-12.34;true\r\n' +
 
+        '1234;"\'=a bogus formula";"\'-and another";"\'+another";"\'@ref"';
 
 
       expect(returnedText).toBe(expectedText);
 
     });

+ 5 - 1
public/app/core/utils/file_export.ts
View File 

@@ -17,7 +17,11 @@ function csvEscaped(text) {
 
     return text;
 
   }
 
 
-  return text.split(QUOTE).join(QUOTE + QUOTE);
 
+  return text
 
+    .split(QUOTE)
 
+    .join(QUOTE + QUOTE)
 
+    .replace(/^([-+=@])/, "'$1")
 
+    .replace(/\s+$/, '');
 
 }
 
 
 const domParser = new DOMParser();