yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2048106] Re: CSV Injection while download csv summary

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <2048106@xxxxxxxxxxxxxxxxxx>
Date: Wed, 01 May 2024 16:15:22 -0000
Reply-to: Bug 2048106 <2048106@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/horizon/+/914156
Committed: https://opendev.org/openstack/horizon/commit/c6bba842af621c5a634bfc4798bb13ae8c43ed00
Submitter: "Zuul (22348)"
Branch:    master

commit c6bba842af621c5a634bfc4798bb13ae8c43ed00
Author: Tatiana Ovchinnikova <t.v.ovtchinnikova@xxxxxxxxx>
Date:   Thu Mar 21 15:43:39 2024 -0500

    Sanitize data for CSV generation
    
    CSV generation is not fully sanitized to prevent CSV injection.
    According to https://owasp.org/www-community/attacks/CSV_Injection,
    we have to use the following sanitization:
     - Wrap each cell field in double quotes
     - Prepend each cell field with a single quote
     - Escape every double quote using an additional double quote
    
    The patch https://review.opendev.org/c/openstack/horizon/+/679161
    takes care of the double quotes. This patch adds a single quote to
    the cell fields beginning with specific characters, so their content
    will be read by a spreadsheet editor as text, not a formula.
    
    Closes-Bug: #2048106
    
    Change-Id: I882fe376613ff1dc13a61f38b59d2a2567dbba7d


** Changed in: horizon
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/2048106

Title:
  CSV Injection while download csv summary

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Members of the VMT received the following report by E-mail:

  1 admin add a user.

  2 the user  logins and create a compute instance

  3 the user  change the instance   name as "=1+cmd|'/C calc'!A0"

  4 admin go to download  csv summary

  5 admin open the csv and we can see that the calculator is opened.

  see https://owasp.org/www-community/attacks/CSV_Injection to fix it

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/2048106/+subscriptions