mirror of
https://github.com/apache/superset.git
synced 2026-04-18 23:55:00 +00:00
* fix: Escape csv content during downloads * Reuse CsvResponse object * Use correct mimetype for csv responses * Ensure that headers are also escaped * Update escaping logic
This commit is contained in:
Ben Reinhart
67
superset/utils/csv.py
Normal file
67
superset/utils/csv.py
Normal file
@@ -0,0 +1,67 @@
|
||||
# Licensed to the Apache Software Foundation (ASF) under one
|
||||
# or more contributor license agreements. See the NOTICE file
|
||||
# distributed with this work for additional information
|
||||
# regarding copyright ownership. The ASF licenses this file
|
||||
# to you under the Apache License, Version 2.0 (the
|
||||
# "License"); you may not use this file except in compliance
|
||||
# with the License. You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing,
|
||||
# software distributed under the License is distributed on an
|
||||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
# KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations
|
||||
# under the License.
|
||||
import re
|
||||
from typing import Any
|
||||
|
||||
import pandas as pd
|
||||
|
||||
negative_number_re = re.compile(r"^-[0-9.]+$")
|
||||
|
||||
# This regex will match if the string starts with:
|
||||
#
|
||||
# 1. one of -, @, +, |, =, %
|
||||
# 2. two double quotes immediately followed by one of -, @, +, |, =, %
|
||||
# 3. one or more spaces immediately followed by one of -, @, +, |, =, %
|
||||
#
|
||||
problematic_chars_re = re.compile(r'^(?:"{2}|\s{1,})(?=[\-@+|=%])|^[\-@+|=%]')
|
||||
|
||||
|
||||
def escape_value(value: str) -> str:
|
||||
"""
|
||||
Escapes a set of special characters.
|
||||
|
||||
http://georgemauer.net/2017/10/07/csv-injection.html
|
||||
"""
|
||||
needs_escaping = problematic_chars_re.match(value) is not None
|
||||
is_negative_number = negative_number_re.match(value) is not None
|
||||
|
||||
if needs_escaping and not is_negative_number:
|
||||
# Escape pipe to be extra safe as this
|
||||
# can lead to remote code execution
|
||||
value = value.replace("|", "\\|")
|
||||
|
||||
# Precede the line with a single quote. This prevents
|
||||
# evaluation of commands and some spreadsheet software
|
||||
# will hide this visually from the user. Many articles
|
||||
# claim a preceding space will work here too, however,
|
||||
# when uploading a csv file in Google sheets, a leading
|
||||
# space was ignored and code was still evaluated.
|
||||
value = "'" + value
|
||||
|
||||
return value
|
||||
|
||||
|
||||
def df_to_escaped_csv(df: pd.DataFrame, **kwargs: Any) -> Any:
|
||||
escape_values = lambda v: escape_value(v) if isinstance(v, str) else v
|
||||
|
||||
# Escape csv headers
|
||||
df = df.rename(columns=escape_values)
|
||||
|
||||
# Escape csv rows
|
||||
df = df.applymap(escape_values)
|
||||
|
||||
return df.to_csv(**kwargs)
|
||||
Reference in New Issue
Block a user