Admin Messages CSV: defuse spreadsheet formula injection
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 8s
CI / integration (pull_request) Successful in 13s
CI / ui (pull_request) Successful in 33s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m15s
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 8s
CI / integration (pull_request) Successful in 13s
CI / ui (pull_request) Successful in 33s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m15s
The sender name and message body are user-controlled; a leading =, +, -, @, tab or CR in the CSV export would execute as a formula when a moderator opens it in a spreadsheet. csvSafe() prefixes such values with a single quote. Unit-tested.
This commit is contained in:
Ilia Denisov
@@ -0,0 +1,25 @@
|
||||
package server
|
||||
|
||||
import "testing"
|
||||
|
||||
// TestCSVSafe checks the CSV/spreadsheet formula-injection guard used by the admin Messages
|
||||
// export: a leading formula trigger is quoted, everything else is left intact.
|
||||
func TestCSVSafe(t *testing.T) {
|
||||
tests := []struct{ in, want string }{
|
||||
{"", ""},
|
||||
{"hello", "hello"},
|
||||
{"=1+1", "'=1+1"},
|
||||
{"+cmd", "'+cmd"},
|
||||
{"-2", "'-2"},
|
||||
{"@SUM(A1)", "'@SUM(A1)"},
|
||||
{"\tx", "'\tx"},
|
||||
{"\rx", "'\rx"},
|
||||
{"good luck", "good luck"},
|
||||
{"a=b", "a=b"}, // a formula char that is not leading must be left untouched
|
||||
}
|
||||
for _, tc := range tests {
|
||||
if got := csvSafe(tc.in); got != tc.want {
|
||||
t.Errorf("csvSafe(%q) = %q, want %q", tc.in, got, tc.want)
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user