Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent CSV injection attacks #662

Merged
merged 14 commits into from
Mar 1, 2024
Merged

Prevent CSV injection attacks #662

merged 14 commits into from
Mar 1, 2024

Conversation

joeldrapper
Copy link
Collaborator

@joeldrapper joeldrapper commented Feb 19, 2024
edited
Loading

Closes #661 and also closes #659.

Todo

  • Test formulae attacks
  • Test trimming whitespace

joeldrapper
joeldrapper commented Feb 19, 2024
View reviewed changes
lib/phlex/csv.rb Outdated
@@ -82,9 +82,13 @@ def render(renderable)
end

def escape(value)
value = value.to_s
value = value.to_s.dup
value.strip!
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be optional. Perhaps you should be able to define def strip_values? = false or something like that.

@joeldrapper joeldrapper added this to the 1.10 milestone Feb 20, 2024
joeldrapper
joeldrapper commented Feb 20, 2024
View reviewed changes
lib/phlex/csv.rb
Comment on lines -64 to +71
def collection_yielder(record)
def yielder(record)
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unrelated to the main purpose of this PR, I think I prefer yielder for this method, since it's not really yielding the collection, it's really yielding a single item in the collection.

joeldrapper
joeldrapper commented Feb 20, 2024
View reviewed changes
lib/phlex/csv.rb Outdated
Comment on lines 21 to 23
unless prevent_csv_injection? == true || prevent_csv_injection? == false
raise "You must define `prevent_csv_injection?` on #{self.class.inspect}, returning `true` or `false`. See https://owasp.org/www-community/attacks/CSV_Injection"
end
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By settings prevent_csv_injection? to nil by default, we can force the developer to make an informed decision upfront by raising here. The developer must choose whether to enable or disable the protection, and they have an opportunity to learn about the risk on owasp.org.

joeldrapper
joeldrapper commented Feb 20, 2024
View reviewed changes
lib/phlex/csv.rb Outdated Show resolved Hide resolved
joeldrapper
joeldrapper commented Feb 20, 2024
View reviewed changes
lib/phlex/csv.rb Outdated Show resolved Hide resolved
willcosgrove
willcosgrove reviewed Feb 20, 2024
View reviewed changes
lib/phlex/csv.rb Outdated Show resolved Hide resolved
@joeldrapper joeldrapper force-pushed the prevent-csv-injection-attacks branch from 2a71eb8 to 8f22b1d Compare March 1, 2024 23:06
willcosgrove
willcosgrove approved these changes Mar 1, 2024
View reviewed changes
Copy link
Contributor

@willcosgrove willcosgrove left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for battling this out with me 😇

@joeldrapper joeldrapper marked this pull request as ready for review March 1, 2024 23:21
@joeldrapper joeldrapper merged commit e6b9d1e into main Mar 1, 2024
17 checks passed
@joeldrapper joeldrapper deleted the prevent-csv-injection-attacks branch March 1, 2024 23:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@willcosgrove willcosgrove willcosgrove approved these changes

Assignees
No one assigned
Labels
security
Milestone
1.10
Development

Successfully merging this pull request may close these issues.

Prevent CSV injection attacks Handle leading and trailing \s characters in CSVs
2 participants
@joeldrapper @willcosgrove