Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-2rw4-2p99-cmx9
Escape characters during module csv export
  • Loading branch information
PierreRambaud committed Feb 22, 2021
2 parents 3d4817d + 0927534 commit 782b136
Show file tree
Hide file tree
Showing 2 changed files with 117 additions and 7 deletions.
48 changes: 41 additions & 7 deletions classes/module/ModuleGraph.php
Expand Up @@ -89,10 +89,12 @@ protected function setDateGraph($layers, $legend = false)
for ($i = $from_array['mday']; $i <= $imax; ++$i) {
$days[] = $i;
}

for ($i = 1; $i <= $to_array['mday']; ++$i) {
$days[] = $i;
}
}

foreach ($days as $i) {
if ($layers == 1) {
$this->_values[$i] = 0;
Expand All @@ -101,9 +103,11 @@ protected function setDateGraph($layers, $legend = false)
$this->_values[$j][$i] = 0;
}
}

$this->_legend[$i] = ($i % 2) ? '' : sprintf('%02d', $i);
}
}

if (is_callable([$this, 'setMonthValues'])) {
$this->setMonthValues($layers);
}
Expand Down Expand Up @@ -146,6 +150,7 @@ protected function setDateGraph($layers, $legend = false)
for ($i = $from_array['year']; $i <= $to_array['year']; ++$i) {
$years[] = $i;
}

foreach ($years as $i) {
if ($layers == 1) {
$this->_values[$i] = 0;
Expand All @@ -157,6 +162,7 @@ protected function setDateGraph($layers, $legend = false)
$this->_legend[$i] = sprintf('%04d', $i);
}
}

if (is_callable([$this, 'setAllTimeValues'])) {
$this->setAllTimeValues($layers);
}
Expand All @@ -174,6 +180,7 @@ protected function csvExport($datas)
if (isset($datas['option'])) {
$this->setOption($datas['option'], $layers);
}

$this->getData($layers);

// @todo use native CSV PHP functions ?
Expand All @@ -184,32 +191,35 @@ protected function csvExport($datas)
$this->_csv .= ';';
}
if (isset($this->_titles['main'][$i])) {
$this->_csv .= $this->_titles['main'][$i];
$this->_csv .= $this->escapeCell($this->_titles['main'][$i]);
}
}
} else { // If there is only one column title, there is in fast two column (the first without title)
$this->_csv .= ';' . $this->_titles['main'];
$this->_csv .= ';' . $this->escapeCell($this->_titles['main']);
}

$this->_csv .= "\n";
if (count($this->_legend)) {
$total = 0;

if ($datas['type'] == 'pie') {
foreach ($this->_legend as $key => $legend) {
for ($i = 0, $total_main = (is_array($this->_titles['main']) ? count($this->_values) : 1); $i < $total_main; ++$i) {
$total += (is_array($this->_values[$i]) ? $this->_values[$i][$key] : $this->_values[$key]);
}
}
}

foreach ($this->_legend as $key => $legend) {
$this->_csv .= $legend . ';';
$this->_csv .= $this->escapeCell($legend) . ';';
for ($i = 0, $total_main = (is_array($this->_titles['main']) ? count($this->_values) : 1); $i < $total_main; ++$i) {
if (!isset($this->_values[$i]) || !is_array($this->_values[$i])) {
if (isset($this->_values[$key])) {
// We don't want strings to be divided. Example: product name
if (is_numeric($this->_values[$key])) {
$this->_csv .= $this->_values[$key] / (($datas['type'] == 'pie') ? $total : 1);
} else {
$this->_csv .= $this->_values[$key];
$this->_csv .= $this->escapeCell($this->_values[$key]);
}
} else {
$this->_csv .= '0';
Expand All @@ -219,14 +229,15 @@ protected function csvExport($datas)
if (is_numeric($this->_values[$i][$key])) {
$this->_csv .= $this->_values[$i][$key] / (($datas['type'] == 'pie') ? $total : 1);
} else {
$this->_csv .= $this->_values[$i][$key];
$this->_csv .= $this->escapeCell($this->_values[$i][$key]);
}
}
$this->_csv .= ';';
}
$this->_csv .= "\n";
}
}

$this->_displayCsv();
}

Expand Down Expand Up @@ -342,12 +353,12 @@ protected static function getEmployee($employee = null, Context $context = null)

public function getDate()
{
return ModuleGraph::getDateBetween($this->_employee);
return static::getDateBetween($this->_employee);
}

public static function getDateBetween($employee = null)
{
if ($employee = ModuleGraph::getEmployee($employee)) {
if ($employee = static::getEmployee($employee)) {
return ' \'' . pSQL($employee->stats_date_from) . ' 00:00:00\' AND \'' . pSQL($employee->stats_date_to) . ' 23:59:59\' ';
}

Expand All @@ -358,4 +369,27 @@ public function getLang()
{
return $this->_id_lang;
}

/**
* Escape cell content.
* If the content begins with =+-@ a quote is added at the beginning of
* the string.
* In all situation, add double quote to encapsulate the content.
*
* @param string $content
*
* @return string
*/
public function escapeCell(string $content): string
{
$escaped = '"';
if (preg_match('~^[=+\-@]~', $content)) {
$content = '\'' . $content;
}

$escaped .= str_replace('"', '""', $content);
$escaped .= '"';

return $escaped;
}
}
76 changes: 76 additions & 0 deletions tests/Unit/Classes/ModuleGraphTest.php
@@ -0,0 +1,76 @@
<?php
/**
* Copyright since 2007 PrestaShop SA and Contributors
* PrestaShop is an International Registered Trademark & Property of PrestaShop SA
*
* NOTICE OF LICENSE
*
* This source file is subject to the Open Software License (OSL 3.0)
* that is bundled with this package in the file LICENSE.md.
* It is also available through the world-wide-web at this URL:
* https://opensource.org/licenses/OSL-3.0
* If you did not receive a copy of the license and are unable to
* obtain it through the world-wide-web, please send an email
* to license@prestashop.com so we can send you a copy immediately.
*
* DISCLAIMER
*
* Do not edit or add to this file if you wish to upgrade PrestaShop to newer
* versions in the future. If you wish to customize PrestaShop for your
* needs please refer to https://devdocs.prestashop.com/ for more information.
*
* @author PrestaShop SA and Contributors <contact@prestashop.com>
* @copyright Since 2007 PrestaShop SA and Contributors
* @license https://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0)
*/

namespace Tests\Unit\Classes;

use Error;
use ModuleGraph;
use PHPUnit\Framework\TestCase;

class ModuleGraphTest extends TestCase
{
public static $data;

protected function setUp()
{
$this->object = new class() extends ModuleGraph {
public function getData($layers)
{
return ModuleGraphTest::$data;
}
};
}

public function testDrawWithoutInitialization()
{
$this->expectException(Error::class);
$this->object->draw();
}

/**
* @dataProvider getEscapeCellValues
*/
public function testEscapeCell($base, $expected)
{
$this->assertEquals(
$this->object->escapeCell($base),
$expected
);
}

public function getEscapeCellValues()
{
return [
['=CMD', '"\'=CMD"'],
['@here', '"\'@here"'],
['+something', '"\'+something"'],
['-thing', '"\'-thing"'],
['hello world', '"hello world"'],
['=@+-', '"\'=@+-"'],
['Hey "you"!', '"Hey ""you""!"'],
];
}
}

0 comments on commit 782b136

Please sign in to comment.