Merge pull request #307 from kiskoza/escape-formulas-by-default

Escape formulas by default
author: Zsolt Kozaroczy <[email protected]> 2023-10-19 10:13:06 +0200
committer: GitHub <[email protected]> 2023-10-19 10:13:06 +0200
commit: 52912ca8ac772144e2fb7b868301a5846b9ee39d (patch)
tree: 28be04ab123214e63ee628d582d36a754a7af855
parent: abfe20072384f8457e7a47b6fe4cc8af101bce56 (diff)
parent: d74e85d1ac03954ce1d687fb1245cbee38c4f718 (diff)
download: caxlsx-52912ca8ac772144e2fb7b868301a5846b9ee39d.tar.gz
caxlsx-52912ca8ac772144e2fb7b868301a5846b9ee39d.zip
11 files changed, 23 insertions, 14 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 67ca1cfe..d09e3196 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@ CHANGELOG
   - Fix `Workbook#sheet_by_name` not returning sheets with encoded characters in the name
   - Raise exception if `axlsx_styler` gem is present as its code was merged directly into `caxlsx` in v3.3.0
   - Add 'SortState' and 'SortCondition' classes to the 'AutoFilter' class to add sorting to the generated file.
+  - [PR #189](https://github.com/caxlsx/caxlsx/pull/189) - Make `Axlsx::escape_formulas` true by default to mitigate [Formula Injection](https://www.owasp.org/index.php/CSV_Injection) vulnerabilities.
 
 - **April.23.23**: 3.4.1
   - [PR #209](https://github.com/caxlsx/caxlsx/pull/209) - Revert characters other than `=` being considered as formulas.
diff --git a/README.md b/README.md
index a77a99a9..93bfa07f 100644
--- a/README.md
+++ b/README.md
@@ -124,24 +124,20 @@ Currently the following additional gems are available:
 
 ## Security
 
-To prevent [Formula Injection](https://www.owasp.org/index.php/CSV_Injection) vulnerabilities, set the following in an initializer:
+To prevent [Formula Injection](https://www.owasp.org/index.php/CSV_Injection) vulnerabilities, as of version 4.0, axlsx escapes all formulas by default. To permit formulas on a specific cell, please use:
 
 ```ruby
-Axlsx.escape_formulas = true
+cell.escape_formulas = false
 ```
 
-Then, set the following on each cell you'd like to add a formula:
+You may set `escape_formulas` on the workbook, worksheet, row and/or cell level. Refer to examples/escape_formula.md for details.
+
+To allow formulas globally by default (which was the behavior in axlsx 3.x and prior), you may set the following in an initializer:
 
 ```ruby
-cell.escape_formulas = false
+Axlsx.escape_formulas = false
 ```
 
-Refer to examples/escape_formula.md for how to set `escape_formulas` on the workbook, worksheet, row and/or cell level.
-
-**Important:** The global setting `Axlsx.escape_formulas = true` will become the default in the next major release (Axlsx 4.0).
-If you do not wish to set `Axlsx.escape_formulas = true` now, at a minimum, please set `Axlsx.escape_formulas = false` to
-ensure continuity when upgrading.
-
 ## Known Software Interoperability Issues
 
 As axslx implements the Office Open XML (ECMA-376 spec) much of the
diff --git a/examples/basic_formula_example.md b/examples/basic_formula_example.md
index d19288fb..5a6eb878 100644
--- a/examples/basic_formula_example.md
+++ b/examples/basic_formula_example.md
@@ -7,6 +7,8 @@ You could insert formulas
 ```ruby
 require 'axlsx'
 
+Axlsx.escape_formulas = false
+
 p = Axlsx::Package.new
 wb = p.workbook
 
diff --git a/examples/cached_formula_example.md b/examples/cached_formula_example.md
index e5b82264..47855b59 100644
--- a/examples/cached_formula_example.md
+++ b/examples/cached_formula_example.md
@@ -7,6 +7,8 @@ When you add a formula in Excel, it immediately calculates its value and store i
 ```ruby
 require 'axlsx'
 
+Axlsx.escape_formulas = false
+
 p = Axlsx::Package.new
 wb = p.workbook
 
diff --git a/examples/column_outlines_example.md b/examples/column_outlines_example.md
index 6d402af5..5e2557e4 100644
--- a/examples/column_outlines_example.md
+++ b/examples/column_outlines_example.md
@@ -7,6 +7,8 @@ If you have a list of data that you want to group and summarize, you can create
 ```ruby
 require 'axlsx'
 
+Axlsx.escape_formulas = false
+
 p = Axlsx::Package.new
 wb = p.workbook
 
diff --git a/examples/complex_example.md b/examples/complex_example.md
index 4f395b02..c0c8d7f4 100644
--- a/examples/complex_example.md
+++ b/examples/complex_example.md
@@ -7,6 +7,8 @@ This is a complex example with a worksheet full of data.
 ```ruby
 require 'axlsx'
 
+Axlsx.escape_formulas = false
+
 p = Axlsx::Package.new
 wb = p.workbook
 
diff --git a/examples/defined_name_example.md b/examples/defined_name_example.md
index ce998263..b2dd3a80 100644
--- a/examples/defined_name_example.md
+++ b/examples/defined_name_example.md
@@ -7,6 +7,8 @@ You could use defined names in formulas
 ```ruby
 require 'axlsx'
 
+Axlsx.escape_formulas = false
+
 p = Axlsx::Package.new
 wb = p.workbook
 
diff --git a/examples/row_outlines_example.md b/examples/row_outlines_example.md
index baa48cfe..78c0d55a 100644
--- a/examples/row_outlines_example.md
+++ b/examples/row_outlines_example.md
@@ -7,6 +7,8 @@ If you have a list of data that you want to group and summarize, you can create
 ```ruby
 require 'axlsx'
 
+Axlsx.escape_formulas = false
+
 p = Axlsx::Package.new
 wb = p.workbook
 
diff --git a/lib/axlsx.rb b/lib/axlsx.rb
index 71c0ca1c..1f43103e 100644
--- a/lib/axlsx.rb
+++ b/lib/axlsx.rb
@@ -220,7 +220,7 @@ module Axlsx
   # See https://www.owasp.org/index.php/CSV_Injection for details.
   # @return [Boolean]
   def self.escape_formulas
-    !defined?(@escape_formulas) || @escape_formulas.nil? ? false : @escape_formulas
+    !defined?(@escape_formulas) || @escape_formulas.nil? ? true : @escape_formulas
   end
 
   # Sets whether to treat values starting with an equals sign as formulas or as literal strings.
diff --git a/test/tc_axlsx.rb b/test/tc_axlsx.rb
index 66b12ff9..25b21777 100644
--- a/test/tc_axlsx.rb
+++ b/test/tc_axlsx.rb
@@ -165,7 +165,7 @@ class TestAxlsx < Test::Unit::TestCase
   def test_escape_formulas
     Axlsx.instance_variable_set(:@escape_formulas, nil)
 
-    refute Axlsx.escape_formulas
+    assert Axlsx.escape_formulas
 
     Axlsx.escape_formulas = true
 
diff --git a/test/workbook/worksheet/tc_cell.rb b/test/workbook/worksheet/tc_cell.rb
index a8ab6ca1..94c424b3 100644
--- a/test/workbook/worksheet/tc_cell.rb
+++ b/test/workbook/worksheet/tc_cell.rb
@@ -411,7 +411,7 @@ class TestCell < Test::Unit::TestCase
 
   def test_to_xml_string_formula
     p = Axlsx::Package.new
-    ws = p.workbook.add_worksheet do |sheet|
+    ws = p.workbook.add_worksheet(escape_formulas: false) do |sheet|
       sheet.add_row ["=IF(2+2=4,4,5)"]
     end
     doc = Nokogiri::XML(ws.to_xml_string)
@@ -512,7 +512,7 @@ class TestCell < Test::Unit::TestCase
 
   def test_to_xml_string_array_formula
     p = Axlsx::Package.new
-    ws = p.workbook.add_worksheet do |sheet|
+    ws = p.workbook.add_worksheet(escape_formulas: false) do |sheet|
       sheet.add_row ["{=SUM(C2:C11*D2:D11)}"]
     end
     doc = Nokogiri::XML(ws.to_xml_string)
author	Zsolt Kozaroczy <[email protected]>	2023-10-19 10:13:06 +0200
committer	GitHub <[email protected]>	2023-10-19 10:13:06 +0200
commit	52912ca8ac772144e2fb7b868301a5846b9ee39d (patch)
tree	28be04ab123214e63ee628d582d36a754a7af855
parent	abfe20072384f8457e7a47b6fe4cc8af101bce56 (diff)
parent	d74e85d1ac03954ce1d687fb1245cbee38c4f718 (diff)
download	caxlsx-52912ca8ac772144e2fb7b868301a5846b9ee39d.tar.gz caxlsx-52912ca8ac772144e2fb7b868301a5846b9ee39d.zip