ClearML/clearml-server
1
0
Fork 0
mirror of https://github.com/clearml/clearml-server synced 2025-06-25 14:15:47 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix CSV export vulnerability by escaping cell text if it matches a macro or formula prefix

Browse Source
This commit is contained in:
clearml 2025-06-04 11:44:24 +03:00
parent a7e340212f
commit c0183e4302
1 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
apiserver/services/organization.py
View File

@ -225,6 +225,18 @@ def prepare_download_for_get_all(
call.result.data = dict(prepare_id=call.id) call.result.data = dict(prepare_id=call.id)
_dangerous_chars = ("=", "+", "-", "@", "\t", "\r")
def _sanitize_csv(value: str) -> str:
"""
Prevent csv injection:
If the string starts with any of the chars that Excel
interpret as a special char then prepend it with a single quote
"""
if value and value.startswith(_dangerous_chars):
return f"'{value}"
return value
@endpoint("organization.download_for_get_all") @endpoint("organization.download_for_get_all")
def download_for_get_all(call: APICall, company, request: DownloadForGetAllRequest): def download_for_get_all(call: APICall, company, request: DownloadForGetAllRequest):
request_data = redis.get(f"get_all_download_{request.prepare_id}") request_data = redis.get(f"get_all_download_{request.prepare_id}")
@ -275,7 +287,7 @@ def download_for_get_all(call: APICall, company, request: DownloadForGetAllReque
if values and isinstance(val, Hashable): if values and isinstance(val, Hashable):
val = values.get(val, val) val = values.get(val, val)
return str(val) return _sanitize_csv(str(val))
def get_projected_fields(data: dict) -> Sequence[str]: def get_projected_fields(data: dict) -> Sequence[str]:
return [ return [