Security: Prevent csv formula injection attack (#17363)

* mitigate https://www.owasp.org/index.php/CSV_Injection - prepend csv cell values that begin with -, +, = or @ with ' - trim trailing whitespace from all csv values * test for csv formula injection mitigation
6 years ago · 5e7537878e
parent a3092dc57b
commit 5e7537878e
2 changed files with 8 additions and 2 deletions
--- a/public/app/core/specs/file_export.test.ts
+++ b/public/app/core/specs/file_export.test.ts
@ -92,6 +92,7 @@ describe('file_export', () => {
          [0x123, 'some string with \n in the middle', 10.01, false],
          [0b1011, 'some string with ; in the middle', -12.34, true],
          [123, 'some string with ;; in the middle', -12.34, true],
+          [1234, '=a bogus formula  ', '-and another', '+another', '@ref'],
        ],
      };

@ -108,7 +109,8 @@ describe('file_export', () => {
        '501;"some string with "" at the end""";0.01;false\r\n' +
        '291;"some string with \n in the middle";10.01;false\r\n' +
        '11;"some string with ; in the middle";-12.34;true\r\n' +
-        '123;"some string with ;; in the middle";-12.34;true';
+        '123;"some string with ;; in the middle";-12.34;true\r\n' +
+        '1234;"\'=a bogus formula";"\'-and another";"\'+another";"\'@ref"';

      expect(returnedText).toBe(expectedText);
    });
--- a/public/app/core/utils/file_export.ts
+++ b/public/app/core/utils/file_export.ts
@ -17,7 +17,11 @@ function csvEscaped(text) {
    return text;
  }

-  return text.split(QUOTE).join(QUOTE + QUOTE);
+  return text
+    .split(QUOTE)
+    .join(QUOTE + QUOTE)
+    .replace(/^([-+=@])/, "'$1")
+    .replace(/\s+$/, '');
 }

 const domParser = new DOMParser();