spree_core 5.2.7 → 5.2.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/app/models/spree/export.rb +2 -2
- data/app/presenters/spree/csv/formula_sanitizer.rb +28 -0
- data/lib/spree/core/version.rb +1 -1
- metadata +4 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 102bf5c31c0361b79a2f8b33d3e726db61fa8b92a6b7e8fe4af9e89e92d2559d
|
|
4
|
+
data.tar.gz: 2c8309529ba90261d29114ec7eb7a4243e52c23d4965d3496af845c51db43dc8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 97c1d37aaf91550e90b2839d2d645aaa240bff7de236e4cce11782e48f14738545af6181a2ade97dc3bcec209a3bb236f473968fa4df34194accc9234e73e65a
|
|
7
|
+
data.tar.gz: ba7fa245c81056c279e3cff639d5f3c1895b06aef930eade1efdd783ee8954e80dbd2043f2ed84b76fa93c5618a5f4eb95eec4afbd21fa9fd052717734a2a4f0
|
data/app/models/spree/export.rb
CHANGED
|
@@ -72,10 +72,10 @@ module Spree
|
|
|
72
72
|
batch.each do |record|
|
|
73
73
|
if multi_line_csv?
|
|
74
74
|
record.to_csv(store).each do |line|
|
|
75
|
-
csv << line
|
|
75
|
+
csv << Spree::CSV::FormulaSanitizer.row(line)
|
|
76
76
|
end
|
|
77
77
|
else
|
|
78
|
-
csv << record.to_csv(store)
|
|
78
|
+
csv << Spree::CSV::FormulaSanitizer.row(record.to_csv(store))
|
|
79
79
|
end
|
|
80
80
|
end
|
|
81
81
|
end
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
module Spree
|
|
2
|
+
module CSV
|
|
3
|
+
# Neutralizes CSV formula injection (CWE-1236 / OWASP "CSV Injection")
|
|
4
|
+
# by prefixing cells that would otherwise be evaluated as a formula
|
|
5
|
+
# when the exported file is opened in Excel, Google Sheets, LibreOffice,
|
|
6
|
+
# or Numbers.
|
|
7
|
+
#
|
|
8
|
+
# The leading apostrophe is the OWASP-recommended marker — spreadsheets
|
|
9
|
+
# render the cell as plain text without displaying the apostrophe.
|
|
10
|
+
module FormulaSanitizer
|
|
11
|
+
TRIGGERS = ["=", "+", "-", "@", "\t", "\r", "\n"].freeze
|
|
12
|
+
|
|
13
|
+
module_function
|
|
14
|
+
|
|
15
|
+
def cell(value)
|
|
16
|
+
return value unless value.is_a?(String)
|
|
17
|
+
return value if value.empty?
|
|
18
|
+
return value unless TRIGGERS.include?(value[0])
|
|
19
|
+
|
|
20
|
+
"'#{value}"
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
def row(values)
|
|
24
|
+
values.map { |v| cell(v) }
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
data/lib/spree/core/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: spree_core
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 5.2.
|
|
4
|
+
version: 5.2.8
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sean Schofield
|
|
@@ -1223,6 +1223,7 @@ files:
|
|
|
1223
1223
|
- app/models/spree/zone_member.rb
|
|
1224
1224
|
- app/paginators/spree/shared/paginate.rb
|
|
1225
1225
|
- app/presenters/spree/csv/customer_presenter.rb
|
|
1226
|
+
- app/presenters/spree/csv/formula_sanitizer.rb
|
|
1226
1227
|
- app/presenters/spree/csv/gift_card_presenter.rb
|
|
1227
1228
|
- app/presenters/spree/csv/metafields_helper.rb
|
|
1228
1229
|
- app/presenters/spree/csv/newsletter_subscriber_presenter.rb
|
|
@@ -1704,9 +1705,9 @@ licenses:
|
|
|
1704
1705
|
- BSD-3-Clause
|
|
1705
1706
|
metadata:
|
|
1706
1707
|
bug_tracker_uri: https://github.com/spree/spree/issues
|
|
1707
|
-
changelog_uri: https://github.com/spree/spree/releases/tag/v5.2.
|
|
1708
|
+
changelog_uri: https://github.com/spree/spree/releases/tag/v5.2.8
|
|
1708
1709
|
documentation_uri: https://docs.spreecommerce.org/
|
|
1709
|
-
source_code_uri: https://github.com/spree/spree/tree/v5.2.
|
|
1710
|
+
source_code_uri: https://github.com/spree/spree/tree/v5.2.8
|
|
1710
1711
|
rdoc_options: []
|
|
1711
1712
|
require_paths:
|
|
1712
1713
|
- lib
|