Please sign in to comment.
security: CSV Formula Injection
This addresses a security issue discovered by Aishwarya Iyer where a User can change their Full Name to a windows formula and when an Agent exports a list of Users containing said User and opens the export file, the formula will be executed on their computer (if it's windows of course). This adds a new validator called `is_formula()` to all text fields disallowing the use of the following characters `= + - @` at the beginning of text. This should mitigate CSV Formula injections for any text field that allows user-input in the system. To further prevent CSV Formula injections this adds an escape mechanism to the Exporter that will escape any content matching the formula regex with a single quote (as mentioned in many posts about this subject).
- Loading branch information...
Showing with 38 additions and 3 deletions.