Skip to content

Eliminate risk of CSV Injection by sanitizing output CSV on 'Export' #3650

@xhocquet

Description

@xhocquet

Is your feature request related to a problem? Please describe.
Rails admin can allow CSV Injection (https://owasp.org/www-community/attacks/CSV_Injection) by putting malicious commands from inputs or data models in the Rails application into a CSV file. The end result is that a malicious and savvy user could exploit an admin user's downloaded CSV to trigger commands on the admin user's machine. Lots of potential for damage there!

One example that can be tried (this will open a calculator on a windows machine) -

=cmd|'/C calc.exe'!Z0

Describe proposed solution(s)
In our application, we implemented csv-safe which has some simple sanitization rules. The same code could be added to rails_admin CSV generation to resolve this issue

Additional context
N/A

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions