Merge branch 'csv-export-sanitize' into 'security-9-3-ee'

Sanitize CSV exports to prevent Excel command execution See merge request !517

Merge branch 'csv-export-sanitize' into 'security-9-3-ee'
Sanitize CSV exports to prevent Excel command execution See merge request !517
f490982a · Sean McGivern · Mike Greiling · ff343fa0 · f490982a · f490982a
Commit f490982a authored Jul 17, 2017 by Sean McGivern Committed by Mike Greiling Jul 19, 2017
Showing with 31 additions and 2 deletions

changelogs/unreleased-ee/escape-csv-symbols.yml changelogs/unreleased-ee/escape-csv-symbols.yml +4 -0

lib/csv_builder.rb lib/csv_builder.rb +9 -2

spec/lib/csv_builder_spec.rb spec/lib/csv_builder_spec.rb +18 -0

No files found.
--- a/changelogs/unreleased-ee/escape-csv-symbols.yml
+++ b/changelogs/unreleased-ee/escape-csv-symbols.yml
+---
+title: Escape symbols in exported CSV columns to prevent command execution in Microsoft Excel
+merge_request:
+author:
--- a/lib/csv_builder.rb
+++ b/lib/csv_builder.rb
@@ -79,9 +79,9 @@ class CsvBuilder
  def row(object)
    attributes.map do |attribute|
      if attribute.respond_to?(:call)
-        attribute.call(object)
+        excel_sanitize(attribute.call(object))
      else
-        object.public_send(attribute)
+        excel_sanitize(object.public_send(attribute))
      end
    end
  end
@@ -100,4 +100,11 @@ class CsvBuilder
      end
    end
  end
+  def excel_sanitize(line)
+    return if line.nil?
+    line.prepend("'") if line =~ /^[=\+\-@;]/
+    line
+  end
 end
--- a/spec/lib/csv_builder_spec.rb
+++ b/spec/lib/csv_builder_spec.rb
@@ -82,4 +82,22 @@ describe CsvBuilder, lib: true do
  it 'allows lamdas to look up more complicated data' do
    expect(csv_data).to include 'rewsna'
  end
+  describe 'excel sanitization' do
+    let(:dangerous_title) { double(title: "=cmd|' /C calc'!A0 title", description: "*safe_desc") }
+    let(:dangerous_desc) { double(title: "*safe_title", description: "=cmd|' /C calc'!A0 desc") }
+    let(:fake_relation) { FakeRelation.new([dangerous_title, dangerous_desc]) }
+    let(:subject) { CsvBuilder.new(fake_relation, 'Title' => 'title', 'Description' => 'description') }
+    let(:csv_data) { subject.render }
+    it 'sanitizes dangerous characters at the beginning of a column' do
+      expect(csv_data).to include "'=cmd|' /C calc'!A0 title"
+      expect(csv_data).to include "'=cmd|' /C calc'!A0 desc"
+    end
+    it 'does not sanitize safe symbols at the beginning of a column' do
+      expect(csv_data).not_to include "'*safe_desc"
+      expect(csv_data).not_to include "'*safe_title"
+    end
+  end
 end