Skip to content

Commit 94e2923

Browse files
authored
fix various findings (#1200) (#1201)
* fix issue found by @yelprofessor : avoid binding for potentially user controlled input * csv export: escape with a tab if first char is one that would trigger the formula expansion
1 parent a00c724 commit 94e2923

File tree

2 files changed

+22
-3
lines changed

2 files changed

+22
-3
lines changed

Diff for: src/main/java/alfio/util/ExportUtils.java

+20-1
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@
2020
import ch.digitalfondue.basicxlsx.StreamingWorkbook;
2121
import ch.digitalfondue.basicxlsx.Style;
2222
import com.opencsv.CSVWriter;
23+
import org.apache.commons.lang3.StringUtils;
2324

2425
import javax.servlet.ServletOutputStream;
2526
import javax.servlet.http.HttpServletResponse;
@@ -74,6 +75,17 @@ public static void addSheetToWorkbook(String sheetName,
7475
}
7576
}
7677

78+
// https://owasp.org/www-community/attacks/CSV_Injection
79+
private static String escapeFormulaChar(String s) {
80+
var trimmed = StringUtils.trimToEmpty(s);
81+
// tab and carriage return are removed by the trimming
82+
var res = trimmed;
83+
if (StringUtils.startsWithAny(trimmed, "=", "+", "-", "@")) {
84+
res = "\t" + trimmed; // http://georgemauer.net/2017/10/07/csv-injection.html starting with a tab seems to be enough?
85+
}
86+
return res;
87+
}
88+
7789
public static void exportCsv(String fileName, String[] header, Stream<String[]> data, HttpServletResponse response) throws IOException {
7890
response.setContentType("text/csv;charset=UTF-8");
7991
response.setHeader("Content-Disposition", "attachment; filename=" + fileName);
@@ -83,7 +95,14 @@ public static void exportCsv(String fileName, String[] header, Stream<String[]>
8395
out.write(marker);
8496
}
8597
writer.writeNext(header);
86-
data.forEachOrdered(writer::writeNext);
98+
data.forEachOrdered(d -> {
99+
var copy = Arrays.copyOf(d, d.length);
100+
for (var i = 0; i < copy.length; i++) {
101+
var res = copy[i];
102+
copy[i] = escapeFormulaChar(res);
103+
}
104+
writer.writeNext(copy);
105+
});
87106
writer.flush();
88107
out.flush();
89108
}

Diff for: src/main/resources/alfio/web-templates/admin-index.ms

+2-2
Original file line numberDiff line numberDiff line change
@@ -195,15 +195,15 @@
195195
<ul class="nav navbar-nav visible-sm visible-xs">
196196
<li class="nav-divider"></li>
197197
<li class="visible-xs visible-sm">
198-
<div class="pull-left"><a href="#" class="navbar-link" ng-click="ctrl.menuCollapsed = true" data-ui-sref="edit-current-user" title="click to update account details"><i class="fa fa-user"></i> {{username}}</a></div>
198+
<div class="pull-left"><a href="#" class="navbar-link" ng-click="ctrl.menuCollapsed = true" data-ui-sref="edit-current-user" title="click to update account details"><i class="fa fa-user"></i> <span ng-non-bindable>{{username}}</span></a></div>
199199
<div class="pull-right"><a href="" class="navbar-link" data-ng-click="ctrl.doLogout('{{idpLogoutRedirectionUrl}}')"><i class="fa fa-sign-out"></i> Log out</a></div>
200200
</li>
201201
</ul>
202202
</div>
203203
</div>
204204
<div class="navbar-right hidden-sm hidden-xs">
205205
<ul class="nav navbar-nav">
206-
<li role="presentation" class="navbar-text"><i class="fa fa-user"></i> Logged in as {{username}}</li>
206+
<li role="presentation" class="navbar-text"><i class="fa fa-user"></i> Logged in as <span ng-non-bindable>{{username}}</span></li>
207207
{{#isDBAuthentication}}
208208
<li role="presentation" data-ui-sref-active="active"> <a data-ui-sref="edit-current-user" title="click to update account details"><i class="fa fa-edit"></i> edit account</a></li>
209209
{{/isDBAuthentication}}

0 commit comments

Comments
 (0)