[SECUR-105] fix: csv injection vulnerability sanitization #8611

2026-02-13 15:37:13 +05:30 · 2026-02-13 15:37:13 +05:30 · cd613e5f8f
commit cd613e5f8f
parent a8d81656fc
5 changed files with 46 additions and 11 deletions
--- a/apps/api/plane/utils/csv_utils.py
+++ b/apps/api/plane/utils/csv_utils.py
@ -0,0 +1,23 @@
+# CSV utility functions for safe export
+
+# Characters that trigger formula evaluation in spreadsheet applications
+_CSV_FORMULA_TRIGGERS = frozenset(("=", "+", "-", "@", "\t", "\r", "\n"))
+
+
+def sanitize_csv_value(value):
+    """Sanitize a value for CSV export to prevent formula injection.
+
+    Prefixes string values starting with formula-triggering characters
+    with a single quote so spreadsheet applications treat them as text
+    instead of evaluating them as formulas.
+
+    See: https://owasp.org/www-community/attacks/CSV_Injection
+    """
+    if isinstance(value, str) and value and value[0] in _CSV_FORMULA_TRIGGERS:
+        return "'" + value
+    return value
+
+
+def sanitize_csv_row(row):
+    """Sanitize all values in a CSV row."""
+    return [sanitize_csv_value(v) for v in row]
--- a/apps/api/plane/utils/exporters/formatters.py
+++ b/apps/api/plane/utils/exporters/formatters.py
@ -9,6 +9,9 @@ from typing import Any, Dict, List, Type

 from openpyxl import Workbook

+# Module imports
+from plane.utils.csv_utils import sanitize_csv_row
+

 class BaseFormatter:
    """Base class for export formatters."""
@ -84,7 +87,7 @@ class CSVFormatter(BaseFormatter):
        buf = io.StringIO()
        writer = csv.writer(buf, delimiter=",", quoting=csv.QUOTE_ALL)
        for row in data:
-            writer.writerow(row)
+            writer.writerow(sanitize_csv_row(row))
        buf.seek(0)
        return buf.getvalue()

--- a/apps/api/plane/utils/porters/formatters.py
+++ b/apps/api/plane/utils/porters/formatters.py
@ -18,6 +18,10 @@ from typing import Any, Dict, List, Union
 from openpyxl import Workbook, load_workbook


+# Module imports
+from plane.utils.csv_utils import sanitize_csv_row, sanitize_csv_value
+
+
 class BaseFormatter(ABC):
    @abstractmethod
    def encode(self, data: List[Dict]) -> Union[str, bytes]:
@ -128,11 +132,12 @@ class CSVFormatter(BaseFormatter):

            # Write data rows in the same field order
            for row in data:
-                writer.writerow([row.get(key, "") for key in fieldnames])
+                writer.writerow(sanitize_csv_row([row.get(key, "") for key in fieldnames]))
        else:
            writer = csv.DictWriter(output, fieldnames=fieldnames, delimiter=self.delimiter)
            writer.writeheader()
-            writer.writerows(data)
+            for row in data:
+                writer.writerow({k: sanitize_csv_value(row.get(k, "")) for k in fieldnames})

        return output.getvalue()