Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Eliminate risk of CSV Injection by sanitizing output CSV on 'Export' #3650

Open
xhocquet opened this issue Oct 6, 2023 · 0 comments
Open

Eliminate risk of CSV Injection by sanitizing output CSV on 'Export' #3650

xhocquet opened this issue Oct 6, 2023 · 0 comments
Labels
enhancement

Comments

@xhocquet
Copy link

xhocquet commented Oct 6, 2023

Is your feature request related to a problem? Please describe.
Rails admin can allow CSV Injection (https://owasp.org/www-community/attacks/CSV_Injection) by putting malicious commands from inputs or data models in the Rails application into a CSV file. The end result is that a malicious and savvy user could exploit an admin user's downloaded CSV to trigger commands on the admin user's machine. Lots of potential for damage there!

One example that can be tried (this will open a calculator on a windows machine) -

=cmd|'/C calc.exe'!Z0

Describe proposed solution(s)
In our application, we implemented csv-safe which has some simple sanitization rules. The same code could be added to rails_admin CSV generation to resolve this issue

Additional context
N/A
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@xhocquet