Skip to content

SQSERVICES-1232 Prevent CSV Injection #2096

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Feb 8, 2022
Merged

SQSERVICES-1232 Prevent CSV Injection #2096

merged 5 commits into from
Feb 8, 2022

Conversation

battermann
Copy link
Contributor

@battermann battermann commented Feb 2, 2022
edited
Loading

https://wearezeta.atlassian.net/browse/SQSERVICES-1232

Checklist

  • The PR Title explains the impact of the change.
  • The PR description provides context as to why the change should occur and what the code contributes to that effect. This could also be a link to a JIRA ticket or a Github issue, if there is one.
  • changelog.d contains the following bits of information (details):
  • A file with the changelog entry in one or more suitable sub-sections. The sub-sections are marked by directories inside changelog.d.

@battermann battermann requested review from smatting, akshaymankar, pcapriotti, jschaul, fisx and mdimjasevic and removed request for smatting February 3, 2022 09:57
@battermann battermann marked this pull request as ready for review February 3, 2022 09:58
@battermann battermann changed the title quote disallowed chars SQSERVICES-1232 Prevent CSV Injection Feb 3, 2022
@battermann battermann force-pushed the SQSERVICES-1232-csv-injection-defense branch from 98737ea to 7efa102 Compare February 3, 2022 11:22
@battermann battermann merged commit 283b327 into develop Feb 8, 2022
@battermann battermann deleted the SQSERVICES-1232-csv-injection-defense branch February 8, 2022 07:35
fisx
fisx reviewed Feb 8, 2022
View reviewed changes
libs/wire-api/src/Wire/API/Team/Export.hs

unquoted :: ByteString -> ByteString
unquoted bstr = case C.uncons bstr of
Just ('\'', t) -> t
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what if there is more than one \' in there?

fisx
fisx reviewed Feb 8, 2022
View reviewed changes
libs/wire-api/test/unit/Test/Wire/API/Team/Export.hs
_ -> False

testQuotedProp :: TestTree
testQuotedProp = testProperty "quoted" prop
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"quoted arbitrary", for symmetry.

libs/wire-api/test/unit/Test/Wire/API/Team/Export.hs
tests :: TestTree
tests =
testGroup
"Export"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's really just about quoted, unquoted, so you could be more specific here.

@fisx fisx mentioned this pull request Feb 18, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fisx fisx fisx left review comments

@smatting smatting smatting approved these changes

@akshaymankar akshaymankar Awaiting requested review from akshaymankar

@pcapriotti pcapriotti Awaiting requested review from pcapriotti

@jschaul jschaul Awaiting requested review from jschaul

@mdimjasevic mdimjasevic Awaiting requested review from mdimjasevic

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@battermann @smatting @fisx