spree_core 5.3.5 → 5.3.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/app/models/spree/export.rb +2 -2
- data/app/presenters/spree/csv/formula_sanitizer.rb +28 -0
- data/lib/spree/core/version.rb +1 -1
- metadata +4 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 9cc8a20703830f22c34bba6cb907ec7895afde999df0550eca4171adc291ffc3
|
|
4
|
+
data.tar.gz: 5e869ff3a246388179bf7e4cc59de7d56e30abae11a19a06f28fbc6d3009ba77
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 2b4f2aad8f5699196b1477456ec12006a3cf5c61498e5c4e886730698b1e959881c6a07df170094d22076bf7c21e92a816da7ad2b663f737b8ae8a3c9e2eca19
|
|
7
|
+
data.tar.gz: 6b836c460679f62490356c7b188965aa0404e82bb7ca7284dea61f3d462903df3e2118b7f76d4026546e1c1e55a78fa83e4f2b51dc488b6284d71629737c0032
|
data/app/models/spree/export.rb
CHANGED
|
@@ -82,10 +82,10 @@ module Spree
|
|
|
82
82
|
batch.each do |record|
|
|
83
83
|
if multi_line_csv?
|
|
84
84
|
record.to_csv(store).each do |line|
|
|
85
|
-
csv << line
|
|
85
|
+
csv << Spree::CSV::FormulaSanitizer.row(line)
|
|
86
86
|
end
|
|
87
87
|
else
|
|
88
|
-
csv << record.to_csv(store)
|
|
88
|
+
csv << Spree::CSV::FormulaSanitizer.row(record.to_csv(store))
|
|
89
89
|
end
|
|
90
90
|
end
|
|
91
91
|
end
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
module Spree
|
|
2
|
+
module CSV
|
|
3
|
+
# Neutralizes CSV formula injection (CWE-1236 / OWASP "CSV Injection")
|
|
4
|
+
# by prefixing cells that would otherwise be evaluated as a formula
|
|
5
|
+
# when the exported file is opened in Excel, Google Sheets, LibreOffice,
|
|
6
|
+
# or Numbers.
|
|
7
|
+
#
|
|
8
|
+
# The leading apostrophe is the OWASP-recommended marker — spreadsheets
|
|
9
|
+
# render the cell as plain text without displaying the apostrophe.
|
|
10
|
+
module FormulaSanitizer
|
|
11
|
+
TRIGGERS = ["=", "+", "-", "@", "\t", "\r", "\n"].freeze
|
|
12
|
+
|
|
13
|
+
module_function
|
|
14
|
+
|
|
15
|
+
def cell(value)
|
|
16
|
+
return value unless value.is_a?(String)
|
|
17
|
+
return value if value.empty?
|
|
18
|
+
return value unless TRIGGERS.include?(value[0])
|
|
19
|
+
|
|
20
|
+
"'#{value}"
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
def row(values)
|
|
24
|
+
values.map { |v| cell(v) }
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
data/lib/spree/core/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: spree_core
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 5.3.
|
|
4
|
+
version: 5.3.6
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sean Schofield
|
|
@@ -1190,6 +1190,7 @@ files:
|
|
|
1190
1190
|
- app/models/spree/zone_member.rb
|
|
1191
1191
|
- app/paginators/spree/shared/paginate.rb
|
|
1192
1192
|
- app/presenters/spree/csv/customer_presenter.rb
|
|
1193
|
+
- app/presenters/spree/csv/formula_sanitizer.rb
|
|
1193
1194
|
- app/presenters/spree/csv/gift_card_presenter.rb
|
|
1194
1195
|
- app/presenters/spree/csv/metafields_helper.rb
|
|
1195
1196
|
- app/presenters/spree/csv/newsletter_subscriber_presenter.rb
|
|
@@ -1731,9 +1732,9 @@ licenses:
|
|
|
1731
1732
|
- BSD-3-Clause
|
|
1732
1733
|
metadata:
|
|
1733
1734
|
bug_tracker_uri: https://github.com/spree/spree/issues
|
|
1734
|
-
changelog_uri: https://github.com/spree/spree/releases/tag/v5.3.
|
|
1735
|
+
changelog_uri: https://github.com/spree/spree/releases/tag/v5.3.6
|
|
1735
1736
|
documentation_uri: https://docs.spreecommerce.org/
|
|
1736
|
-
source_code_uri: https://github.com/spree/spree/tree/v5.3.
|
|
1737
|
+
source_code_uri: https://github.com/spree/spree/tree/v5.3.6
|
|
1737
1738
|
rdoc_options: []
|
|
1738
1739
|
require_paths:
|
|
1739
1740
|
- lib
|