diff options
| author | Gabriel Morcote <[email protected]> | 2019-12-20 15:01:35 -0600 |
|---|---|---|
| committer | Stefan Daschek <[email protected]> | 2019-12-20 22:01:35 +0100 |
| commit | 0a223011a26949ddc00eba882005daee7afeb6a6 (patch) | |
| tree | a5ffc3459f43e0efef8326dbd1738cac5c5dbc0f /lib/axlsx/workbook/worksheet/cell.rb | |
| parent | 99d3d2fbe5b07aa005b475b8cdc4e6238c3d5e28 (diff) | |
| download | caxlsx-0a223011a26949ddc00eba882005daee7afeb6a6.tar.gz caxlsx-0a223011a26949ddc00eba882005daee7afeb6a6.zip | |
Add option to protect against formula injection attacks (#34)
Caxlsx used to treat cell values beginning with an equal sign as formula by default.
This can be dangerous if the input data is user generated or coming from other untrusted sources (see https://www.owasp.org/index.php/CSV_Injection for details).
This commit adds a new option `escape_formulas` that can be used with `#add_row` and on instances of `Cell`. If set to true, cell values beginning with an equal sign are treated as normal strings (and will be displayed literally by Excel and co.)
Diffstat (limited to 'lib/axlsx/workbook/worksheet/cell.rb')
| -rw-r--r-- | lib/axlsx/workbook/worksheet/cell.rb | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/lib/axlsx/workbook/worksheet/cell.rb b/lib/axlsx/workbook/worksheet/cell.rb index 99b3f8b0..53bea28b 100644 --- a/lib/axlsx/workbook/worksheet/cell.rb +++ b/lib/axlsx/workbook/worksheet/cell.rb @@ -30,6 +30,10 @@ module Axlsx # @option options [String] color an 8 letter rgb specification # @option options [Number] formula_value The value to cache for a formula cell. # @option options [Symbol] scheme must be one of :none, major, :minor + # @option options [Boolean] escape_formulas - Whether to treat a value starting with an equal + # sign as formula (default) or as simple string. + # Allowing user generated data to be interpreted as formulas can be dangerous + # (see https://www.owasp.org/index.php/CSV_Injection for details). def initialize(row, value = nil, options = {}) @row = row # Do not use instance vars if not needed to use less RAM @@ -38,6 +42,8 @@ module Axlsx type = options.delete(:type) || cell_type_from_value(value) self.type = type unless type == :string + escape_formulas = options[:escape_formulas] + self.escape_formulas = escape_formulas unless escape_formulas.nil? val = options.delete(:style) self.style = val unless val.nil? || val == 0 @@ -102,6 +108,18 @@ module Axlsx self.value = @value unless !defined?(@value) || @value.nil? end + # Whether to treat a value starting with an equal + # sign as formula (default) or as simple string. + # Allowing user generated data to be interpreted as formulas can be dangerous + # (see https://www.owasp.org/index.php/CSV_Injection for details). + # @return [Boolean] + attr_reader :escape_formulas + + def escape_formulas=(v) + Axlsx.validate_boolean(v) + @escape_formulas = v + end + # The value of this cell. # @return [String, Integer, Float, Time, Boolean] casted value based on cell's type attribute. attr_reader :value @@ -324,6 +342,8 @@ module Axlsx end def is_formula? + return false if escape_formulas + type == :string && @value.to_s.start_with?(?=) end |