zvory / csv-safe Goto Github PK

View Code? Open in Web Editor NEW

36.0 2.0 11.0 27 KB

Decorate the ruby CSV library to sanitize output CSV against CSV injection attacks.

License: MIT License

Ruby 98.94% Shell 1.06%

ruby ruby-gem csv csv-files csv-import csv-export security injection-attacks

csv-safe's Introduction

csv-safe

Also hosted on RubyGems.org.

This gem decorates the built in CSV library to prevent CSV injection attacks. Wherever you would use CSV in your code, use CSVSafe. The gem will encode your fields in UTF-8.

What this gem does specifically:

Override CSV#<< to sanitize incoming rows.
Override CSV#initialize to add a converter that will sanitize fields being read.

A description of CSV injection attacks on OWASP

Made while working at Influitive. We kept writing similar code to sanitize CSV output, and I couldn't find a gem to do this for us, so I wrote this.

Installation

Add this line to your application's Gemfile:

gem 'csv-safe'

And then execute:

$ bundle

Or install it yourself as:

$ gem install csv-safe

Development

After checking out the repo, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in csv-safe.gemspec, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

License

The gem is available as open source under the terms of the MIT License.

csv-safe's People

Contributors

Stargazers

Watchers

Forkers

catchrelease aasmolsky formigarafa donorbox danishtariqq aelschauer theladykproject nicksoto cofense mako-fintech u110

csv-safe's Issues

Older versions of CSV-Safe gem doesn't filter out special characters which could trigger CSV Injection. (< 3.0.0) [CVE-2022-28481]

Older versions of CSV-Safe gem doesn't filter out special characters which could trigger CSV Injection. (< 3.0.0)

Vulnerability Type
CSV Injection

Product
csv-safe

Affected Product Code Base
CSV-safe - <3.0.0 are effected

Affected Component
Sanitization of CSV Injection vectors.

Attack Type
Remote

Attack Vector
%0A-3+3+cmd|' /C calc'!D2 could be used to bypass CSV injection sanitizations in older versions.

Credits
Danish Tariq
Ali Hassan Ghori
Hassan Khan Yusufzai

Fixed by
Gabriel Rios - #8

References
https://github.com/zvory/csv-safe
#8
https://hackerone.com/reports/223999
WeblateOrg/weblate@d9e136f
https://bugzilla.mozilla.org/show_bug.cgi?id=1259881

Ruby 3.3.1 warning

Hello, head-up.
https://github.com/zvory/csv-safe/blob/master/lib/csv-safe.rb#L3 requires csv gem.

And now, on ruby 3.3.1 this warning is being raised.

warning: /usr/local/lib/ruby/3.3.0/csv.rb was loaded from the standard library, but will no longer be part of the default gems since Ruby 3.4.0. Add csv to your Gemfile or gemspec. Also contact author of csv-safe-3.0.0 to add csv into its gemspec.

cheers. :)

Instance variable @headers is nil at csv-safe.rb:56:in `sanitize_row'

Hello!
It seems I found a bug, @headers variable is nil at csv-safe.rb:56:in `sanitize_row'. Looks like the fix is to read headers as a method.

headers = %i[a b c]
[
    [0] :a,
    [1] :b,
    [2] :c
]

payload = { b: :b, a: :a, c: :c }
{
    :b => :b,
    :a => :a,
    :c => :c
}

CSVSafe.generate(headers: true) { |csv| csv << headers; csv << payload }
NoMethodError: undefined method `map' for nil:NilClass
from /Users/.../.rbenv/versions/2.7.6/lib/ruby/gems/2.7.0/gems/csv-safe-3.1.1/lib/csv-safe.rb:56:in `sanitize_row'

After I changed @headers to headers (then headers.map { |header| sanitize_field(row[header]) }) it works:

headers = %i[a b c]
[
    [0] :a,
    [1] :b,
    [2] :c
]

payload = { b: :b, a: :a, c: :c }
{
    :b => :b,
    :a => :a,
    :c => :c
}

CSVSafe.generate(headers: true) { |csv| csv << headers; csv << payload }
"a,b,c\na,b,c\n"

Encoding::CompatibilityError when csv in UTF-16 format

In PR Use String#start_with? to detect leading special character #12 the starts_with_special_character? implementation was changed to use start_with? which throw an error in case CSV in UTF-16LE format

Encoding::CompatibilityError:
       incompatible character encodings: UTF-16LE and UTF-8

zvory / csv-safe Goto Github PK

csv-safe's Introduction

csv-safe

Installation

Development

License

csv-safe's People

Contributors

Stargazers

Watchers

Forkers

csv-safe's Issues

Older versions of CSV-Safe gem doesn't filter out special characters which could trigger CSV Injection. (< 3.0.0) [CVE-2022-28481]

Ruby 3.3.1 warning

Instance variable @headers is nil at csv-safe.rb:56:in `sanitize_row'

Encoding::CompatibilityError when csv in UTF-16 format

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent

Jobs