IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Security: Prevent csv formula injection attack (#17363)

Browse Source 
* mitigate https://www.owasp.org/index.php/CSV_Injection

- prepend csv cell values that begin with -, +, = or @ with '
- trim trailing whitespace from all csv values

* test for csv formula injection mitigation
This commit is contained in:
Dan Cech
2019-05-30 01:07:19 -04:00
committed by Torkel Ödegaard
parent a3092dc57b
commit 5e7537878e
2 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
public/app/core/specs/file_export.test.ts
View File

@@ -92,6 +92,7 @@ describe('file_export', () => {
[0x123, 'some string with \n in the middle', 10.01, false],
[0b1011, 'some string with ; in the middle', -12.34, true],
[123, 'some string with ;; in the middle', -12.34, true],
[1234, '=a bogus formula ', '-and another', '+another', '@ref'],
],
};
@@ -108,7 +109,8 @@ describe('file_export', () => {
'501;"some string with "" at the end""";0.01;false\r\n' +
'291;"some string with \n in the middle";10.01;false\r\n' +
'11;"some string with ; in the middle";-12.34;true\r\n' +
'123;"some string with ;; in the middle";-12.34;true';
'123;"some string with ;; in the middle";-12.34;true\r\n' +
'1234;"\'=a bogus formula";"\'-and another";"\'+another";"\'@ref"';
expect(returnedText).toBe(expectedText);
});