letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(audit): H10 — neutralize CSV formula injection in expense + audit exports

Browse Source 
Adds sanitizeCsvCell() (prefixes a quote when a cell starts with = + - @
tab/CR) and applies it to the audit-export escape() and the user-controlled
free-text columns of the expense export before Papa.unparse.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt
2026-06-02 12:18:07 +02:00
parent 4489ad2431
commit a335dbc117
3 changed files with 42 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/app/api/v1/admin/audit/export/route.ts
View File

@@ -1,6 +1,7 @@
import { NextResponse } from 'next/server';
import { withAuth, withPermission } from '@/lib/api/helpers';
import { sanitizeCsvCell } from '@/lib/csv/sanitize-csv-cell';
import { errorResponse } from '@/lib/errors';
import { searchAuditLogs } from '@/lib/services/audit-search.service';
@@ -94,7 +95,10 @@ function buildCsv(rows: Awaited<ReturnType<typeof searchAuditLogs>>['rows']): st
const escape = (v: unknown): string => {
if (v === null || v === undefined) return '';
const s = typeof v === 'object' ? JSON.stringify(v) : String(v);
const raw = typeof v === 'object' ? JSON.stringify(v) : String(v);
// Neutralize spreadsheet formula triggers before RFC 4180 framing —
// the leading quote is part of the cell value, not the CSV escaping.
const s = sanitizeCsvCell(raw);
if (/[",\n\r]/.test(s)) {
return `"${s.replace(/"/g, '""')}"`;
}