Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This addresses a security issue discovered by Aishwarya Iyer where a User can change their Full Name to a windows formula and when an Agent exports a list of Users containing said User and opens the export file, the formula will be executed on their computer (if it's windows of course). This adds a new validator called `is_formula()` to all text fields disallowing the use of the following characters `= + - @` at the beginning of text. This should mitigate CSV Formula injections for any text field that allows user-input in the system. To further prevent CSV Formula injections this adds an escape mechanism to the Exporter that will escape any content matching the formula regex with a single quote (as mentioned in many posts about this subject).
- Loading branch information
Showing
4 changed files
with
38 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters