Wishlist: ability to throw exception if formula seen in CSV

[neilb]

You may have seen this blog post, about potential security problems with CSV files that have formulae in cells:

http://georgemauer.net/2017/10/07/csv-injection.html

In a perfect world, all of my existing code that uses Text::CSV_XS would start throwing exceptions if they got CSVs with formulae in them. If users have to turn on some "don't allow formulae in cells" feature, then it's not going to help most people, because most people won't (a) know about the potential problem, or (b) the module's support for protecting you.

I'm guessing that for backwards compatibility reasons you might not want to add this as a feature that's enabled by default, but I think you should at least consider it.

That said, following on from email, I might want to write:

use Text::CSV_XS qw/ csv /;
csv(in => $fh, headers => 'auto', formula => 'croak');

The formula parameter could be croak, allow, diag, empty (blank out all such cells), or undef (return cell as undef).

Personally i'd make the default be croak, but I realise you don't want code to suddenly start breaking, so maybe diag could be the default?

[Tux]

Pull and see if that fits your needs. Comments welcome. (Does not yet have tests)

[Tux]

$ perl -Mlib -Mblib -MCSV -wE'dcsv(in=>\"1,2,=3+5,6")'
[
    [   '1',
        '2',
        '=3+5',
        '6'
        ]
    ]
$ perl -Mlib -Mblib -MCSV -wE'dcsv(in=>\"1,2,=3+5,6", formula => 0)'
[
    [   '1',
        '2',
        '=3+5',
        '6'
        ]
    ]
$ perl -Mlib -Mblib -MCSV -wE'dcsv(in=>\"1,2,=3+5,6", formula => 1)'
Formulas are forbidden
Exit 2
$ perl -Mlib -Mblib -MCSV -wE'dcsv(in=>\"1,2,=3+5,6", formula => 2)'
Formulas are forbidden
Exit 2
$ perl -Mlib -Mblib -MCSV -wE'dcsv(in=>\"1,2,=3+5,6", formula => 3)'
Field 0 contains formula '=3+5'
[
    [   '1',
        '2',
        '=3+5',
        '6'
        ]
    ]
$ perl -Mlib -Mblib -MCSV -wE'dcsv(in=>\"1,2,=3+5,6", formula => 4)'
[
    [   '1',
        '2',
        '',
        '6'
        ]
    ]
$ perl -Mlib -Mblib -MCSV -wE'dcsv(in=>\"1,2,=3+5,6", formula => 5)'
[
    [   '1',
        '2',
        undef,
        '6'
        ]
    ]
$ perl -Mlib -Mblib -MCSV -wE'dcsv(in=>\"1,2,=3+5,6", formula => "empty")'
[
    [   '1',
        '2',
        '',
        '6'
        ]
    ]
$ perl -Mlib -Mblib -MCSV -wE'dcsv(in=>\"1,2,=3+5,6", formula => "undef")'
[
    [   '1',
        '2',
        undef,
        '6'
        ]
    ]

$ perl -Mlib -Mblib -MCSV -wE'dcsv(in=>[[1,2,"=3+4",5]], quote_empty => 1)'
1,2,=3+4,5
1
$ perl -Mlib -Mblib -MCSV -wE'dcsv(in=>[[1,2,"=3+4",5]], quote_empty => 1, formula => 0)'
1,2,=3+4,5
1
$ perl -Mlib -Mblib -MCSV -wE'dcsv(in=>[[1,2,"=3+4",5]], quote_empty => 1, formula => 1)'
Formulas are forbidden
Exit 255
$ perl -Mlib -Mblib -MCSV -wE'dcsv(in=>[[1,2,"=3+4",5]], quote_empty => 1, formula => 2)'
Formulas are forbidden
Exit 255
$ perl -Mlib -Mblib -MCSV -wE'dcsv(in=>[[1,2,"=3+4",5]], quote_empty => 1, formula => 3)'
Field 2 contains formula '=3+4'
1,2,=3+4,5
1
$ perl -Mlib -Mblib -MCSV -wE'dcsv(in=>[[1,2,"=3+4",5]], quote_empty => 1, formula => 4)'
1,2,"",5
1
$ perl -Mlib -Mblib -MCSV -wE'dcsv(in=>[[1,2,"=3+4",5]], quote_empty => 1, formula => 5)'
1,2,,5
1
$ perl -Mlib -Mblib -MCSV -wE'dcsv(in=>[[1,2,"=3+4",5]], quote_empty => 1, formula => "empty")'
1,2,"",5
1
$ perl -Mlib -Mblib -MCSV -wE'dcsv(in=>[[1,2,"=3+4",5]], quote_empty => 1, formula => "undef")'
1,2,,5
1

[neilb]

With this CSV:

Name,Value
Fred,1
Bill,"=3+5"

I get this diagnostic:

Field 0 in record 2 contains formula '=3+5'

Which seems wrong.

[Tux]

I'll have a look soonish. You do agree to my approach (if it works)?

[neilb]

Yes -- looks good!

[Tux]

Right, I've done a bit more, and plan to release this asap. Last minute feedback is of course welcome. I'll also ask PM for feedback

[neilb]

👍

[Tux]

1.34 will throw an exception instead of a warning.
perl6 Text::CSV is now in sync. Closing.