diff options
| -rw-r--r-- | CHANGELOG.md | 1 | ||||
| -rw-r--r-- | lib/axlsx/workbook/worksheet/cell.rb | 8 | ||||
| -rw-r--r-- | test/workbook/worksheet/tc_cell.rb | 33 |
3 files changed, 39 insertions, 3 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 8537ea6e..1ebf252c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ CHANGELOG --------- - **Unreleased** - [PR #186](https://github.com/caxlsx/caxlsx/pull/186) - Add `escape_formulas` to global, workbook, worksheet, row and cell levels, and standardize behavior. + - [PR #186](https://github.com/caxlsx/caxlsx/pull/186) - `escape_formulas` should handle all [OWASP-designated formula prefixes](https://owasp.org/www-community/attacks/CSV_Injection). - Fix bug when calling `worksheet.add_border("A1:B2", nil)` - Change `BorderCreator#initialize` arguments handling - Fix `add_border` to work with singluar cell refs diff --git a/lib/axlsx/workbook/worksheet/cell.rb b/lib/axlsx/workbook/worksheet/cell.rb index 8e55d0c5..f0345705 100644 --- a/lib/axlsx/workbook/worksheet/cell.rb +++ b/lib/axlsx/workbook/worksheet/cell.rb @@ -72,6 +72,10 @@ module Axlsx CELL_TYPES = [:date, :time, :float, :integer, :richtext, :string, :boolean, :iso_8601, :text].freeze + # Leading characters that indicate a formula. + # See: https://owasp.org/www-community/attacks/CSV_Injection + FORMULA_PREFIXES = ['-', '=', '+', '@', '%', '|', "\r", "\t"].freeze + # The index of the cellXfs item to be applied to this cell. # @return [Integer] # @see Axlsx::Styles @@ -170,7 +174,7 @@ module Axlsx !is_text_run? && # No inline styles [email protected]? && # Not nil [email protected]? && # Not empty - [email protected]_with?(?=) # Not a formula + [email protected]_with?(*FORMULA_PREFIXES) # Not a formula end # The inline font_name property for the cell @@ -368,7 +372,7 @@ module Axlsx def is_formula? return false if escape_formulas - type == :string && @value.to_s.start_with?(?=) + type == :string && @value.to_s.start_with?(*FORMULA_PREFIXES) end def is_array_formula? diff --git a/test/workbook/worksheet/tc_cell.rb b/test/workbook/worksheet/tc_cell.rb index bdbfd59d..b8e16404 100644 --- a/test/workbook/worksheet/tc_cell.rb +++ b/test/workbook/worksheet/tc_cell.rb @@ -382,6 +382,37 @@ class TestCell < Test::Unit::TestCase assert(doc.xpath("//t[text()='=IF(2+2=4,4,5)']").any?) end + def test_to_xml_string_numeric_escaped + p = Axlsx::Package.new + ws = p.workbook.add_worksheet do |sheet| + sheet.add_row ["-1", "+2"], escape_formulas: true, types: :text + end + doc = Nokogiri::XML(ws.to_xml_string) + doc.remove_namespaces! + assert(doc.xpath("//t[text()='-1']").any?) + assert(doc.xpath("//t[text()='+2']").any?) + end + + def test_to_xml_string_other_owasp_escaped + p = Axlsx::Package.new + ws = p.workbook.add_worksheet do |sheet| + sheet.add_row [ + "@1", + "%2", + "|3", + "\rfoo", + "\tbar" + ], escape_formulas: true + end + doc = Nokogiri::XML(ws.to_xml_string) + doc.remove_namespaces! + assert(doc.xpath("//t[text()='@1']").any?) + assert(doc.xpath("//t[text()='%2']").any?) + assert(doc.xpath("//t[text()='|3']").any?) + assert(doc.xpath("//t[text()='\nfoo']").any?) + assert(doc.xpath("//t[text()='\tbar']").any?) + end + def test_to_xml_string_formula_escape_array_parameter p = Axlsx::Package.new ws = p.workbook.add_worksheet do |sheet| @@ -414,7 +445,7 @@ class TestCell < Test::Unit::TestCase def test_to_xml_string_text_formula p = Axlsx::Package.new ws = p.workbook.add_worksheet do |sheet| - sheet.add_row ["=1+1", "-1+1"], type: :text + sheet.add_row ["=1+1", "-1+1"], types: :text end doc = Nokogiri::XML(ws.to_xml_string) doc.remove_namespaces! |