streamy_csv 0.4.0 → 0.5.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 24325070ca75478285318b9b6e0123ef9984cca3
-  data.tar.gz: 47cda2132e14791c76233c269ad967d906b81cdb
+  metadata.gz: d675a642b3b39ce706e4f8e5ec0cd67809db6f43
+  data.tar.gz: 6a68f7897d3070e18e45f02200685bbc4c3c2d89
 SHA512:
-  metadata.gz: b816608ce3cac24b1f930b44b05229fcaf1400b36dd673b47632f4c7df258971bcb1132357a2b0311be5a1bcc357baf362835a8de2ce440fecf81d5b30c9cc27
-  data.tar.gz: 201fa74a9696bacdbfa0928c27674a58b30f65cae3c13f2a50b41bef7741d1c13bbd194e1686b77a77ad30903a8e25f5efa3465805e08f4108560b500e5132fa
+  metadata.gz: 6cf3a9f43c25f5a077453be47c80f46d75e2265fbac842274f5a11316533c1628fe6e09dd77af76b394d61ed7b1b0736366111a1704c5ef41acd3fb71219a587
+  data.tar.gz: 52f04bddb8b2d850fc5a3320eac6e8afde8c807b98314661c8818f9d483473ede3303064d41bb3866474b44625a0bbdb8912a76ec0730a967bd0c442cc9826c5

data/lib/streamy_csv/injection_sanitizer.rb

@@ -0,0 +1,18 @@
+module StreamyCsv
+  class InjectionSanitizer
+    PREFIXES_TO_ESCAPE=%w(= @ + - |)
+    ESCAPE_CHAR="'"
+
+    def self.sanitize_csv_row(row)
+      if row.is_a?(CSV::Row)
+        sanitized_row = row.dup
+        row.each do |title, value|
+          if value.to_s.start_with?(*PREFIXES_TO_ESCAPE)
+            sanitized_row[title] = "#{ESCAPE_CHAR}#{value}"
+          end
+        end
+      end
+      row
+    end
+  end
+end

data/lib/streamy_csv/version.rb

@@ -1,3 +1,3 @@
 module StreamyCsv
-  VERSION = "0.4.0"
+  VERSION = "0.5.2"
 end

data/lib/streamy_csv.rb

@@ -1,8 +1,7 @@
 require "streamy_csv/version"
+require "streamy_csv/injection_sanitizer"
 
 module StreamyCsv
-  CSV_OPERATORS = ['+','-','=','@','%']
-  UNESCAPED_PIPES_RGX = /(?<!\\)(?:\\{2})*\K\|/
 
   # stream_csv('data.csv', MyModel.header_row) do |rows|
   #   MyModel.find_each do |my_model|
@@ -12,7 +11,7 @@ module StreamyCsv
   #
   #
 
-  def stream_csv(file_name, header_row, sanitize = true, &block)
+  def stream_csv(file_name, header_row, sanitize=true, &block)
     set_streaming_headers
     set_file_headers(file_name)
 
@@ -30,30 +29,16 @@ module StreamyCsv
   end
 
   def csv_lines(header_row, sanitize, &block)
-    Enumerator.new do |yielder|
-      rows = appendHeader([], header_row, sanitize)
-      block.call(rows)
-      rows.each do |row|
-        sanitize!(row) if sanitize
-        yielder.yield row
+    Enumerator.new do |rows|
+      if sanitize
+        def rows.<<(row)
+          super StreamyCsv::InjectionSanitizer.sanitize_csv_row(row).to_s
+        end
       end
+      rows << header_row if header_row
+      block.call(rows)
     end
-  end
-
-  def appendHeader(rows, header_row, sanitize)
-    if header_row && header_row.any?
-      sanitize! header_row if sanitize
-      rows << header_row.to_s
-    end
-    rows
-  end
 
-  def sanitize!(enumerable)
-    return unless enumerable && enumerable.is_a?(Enumerable)
-    enumerable = enumerable.fields if enumerable.is_a?(CSV::Row)
-    enumerable.each do |field|
-      field.gsub!(UNESCAPED_PIPES_RGX,'\|') if field.is_a?(String) && field.start_with?(*CSV_OPERATORS)        
-    end
   end
 
   def set_file_headers(file_name)

data/spec/lib/streamy_csv/injection_sanitizer_spec.rb

@@ -0,0 +1,39 @@
+$: << File.join(File.dirname(__FILE__), "../../../lib")
+require 'streamy_csv/injection_sanitizer'
+require 'csv'
+
+describe StreamyCsv::InjectionSanitizer do
+  describe 'sanitize_csv_row' do
+    it "returns the data as is in case it's not a csv row" do
+      StreamyCsv::InjectionSanitizer.sanitize_csv_row(10).should == 10
+    end
+
+    it 'escapes the leading escape leading | character on any column' do
+      row = CSV::Row.new([:x], ["|RAND()"])
+      sanitized_row = StreamyCsv::InjectionSanitizer.sanitize_csv_row(row)
+      sanitized_row.to_s.strip.should == "'|RAND()"
+    end
+
+    it 'escapes the leading escape leading + character on any column' do
+      row = CSV::Row.new([:x], ["-RAND()"])
+      sanitized_row = StreamyCsv::InjectionSanitizer.sanitize_csv_row(row)
+      sanitized_row.to_s.strip.should == "'-RAND()"
+    end
+
+    it 'escapes the leading escape leading + character on any column' do
+      row = CSV::Row.new([:x], ["+RAND()"])
+      sanitized_row = StreamyCsv::InjectionSanitizer.sanitize_csv_row(row)
+      sanitized_row.to_s.strip.should == "'+RAND()"
+    end
+    it 'escapes the leading escape leading @ character on any column' do
+      row = CSV::Row.new([:x], ["@RAND()"])
+      sanitized_row = StreamyCsv::InjectionSanitizer.sanitize_csv_row(row)
+      sanitized_row.to_s.strip.should == "'@RAND()"
+    end
+    it 'escapes the leading escape leading = character on any column' do
+      row = CSV::Row.new([:x], ["=RAND()"])
+      sanitized_row = StreamyCsv::InjectionSanitizer.sanitize_csv_row(row)
+      sanitized_row.to_s.strip.should == "'=RAND()"
+    end
+  end
+end

data/spec/streamy_csv_spec.rb

@@ -34,14 +34,14 @@ describe StreamyCsv do
     it 'sets the streaming headers' do
       @controller.stream_csv('abc.csv', @header)
       @controller.headers.should include({'X-Accel-Buffering' => 'no',
-        "Cache-Control" => "no-cache"
+                                          "Cache-Control" => "no-cache"
       })
     end
 
     it 'sets the file headers' do
       @controller.stream_csv('abc.csv', @header)
       @controller.headers.should include({"Content-Type" => "text/csv",
-        "Content-disposition" => "attachment; filename=\"abc.csv\""
+                                          "Content-disposition" => "attachment; filename=\"abc.csv\""
       })
     end
 
@@ -59,40 +59,46 @@ describe StreamyCsv do
       @controller.response.status.should == 200
       @controller.response_body.is_a?(Enumerator).should == true
     end
+
     it 'sanitizes header and contents and streams the csv file' do
-      row_1 = CSV::Row.new([:name, :title], ['AB', 'Mr'])
-      row_2 = CSV::Row.new([:name, :title], ["=cmd|' /C", 'Pres'])
-      header = [:name, "=cmd|' /C"]
-      rows = [header, row_1]
+      header = CSV::Row.new([:name, :title], ['Name', "=cmd|' /C"], true)
 
-      @controller.stream_csv('abc.csv', @header) do |rows|
-        rows << row_1
-        rows << row_2
+      @controller.stream_csv('abc.csv', header) do |rows|
+        rows << CSV::Row.new([:name, :title], ['AB', 'Mr'])
+        rows << CSV::Row.new([:name, :title], ["=cmd|' /C", '-Pres'])
+        rows << CSV::Row.new([:name, :title], ["@something", '+Pres'])
       end
+
       @controller.response.status.should == 200
       @controller.response_body.is_a?(Enumerator).should == true
-      @controller.response_body.take(1)[0].to_s[4].bytes == '\\'.bytes
-      @controller.response_body.take(1)[0].to_s[5].bytes == '|'.bytes
-      @controller.response_body.take(3)[2].to_s[4].bytes == '\\'.bytes
-      @controller.response_body.take(3)[2].to_s[5].bytes == '|'.bytes
+      body = @controller.response_body.to_a
+      body.size.should == 4
+
+      body[0].to_s.strip.should == "Name,'=cmd|' /C"
+      body[1].to_s.strip.should == "AB,Mr"
+      body[2].to_s.strip.should == "'=cmd|' /C,'-Pres"
+      body[3].to_s.strip.should == "'@something,'+Pres"
     end
-    it 'does not sanitize the csv if the option provided' do
-      row_1 = CSV::Row.new([:name, :title], ['AB', 'Mr'])
-      row_2 = CSV::Row.new([:name, :title], ["=cmd|' /C", 'Pres'])
-      header = [:name, "=cmd|' /C"]
-      rows = [header, row_1]
 
-      @controller.stream_csv('abc.csv', @header, false) do |rows|
-        rows << row_1
-        rows << row_2
+    it 'does not sanitize header and contents if specified and streams the csv file' do
+      header = CSV::Row.new([:name, :title], ['Name', "=cmd|' /C"], true)
+
+      @controller.stream_csv('abc.csv', header, false) do |rows|
+        rows << CSV::Row.new([:name, :title], ['AB', 'Mr'])
+        rows << CSV::Row.new([:name, :title], ["=cmd|' /C", '-Pres'])
+        rows << CSV::Row.new([:name, :title], ["@something", '+Pres'])
       end
+
       @controller.response.status.should == 200
       @controller.response_body.is_a?(Enumerator).should == true
-      @controller.response_body.take(1)[0].to_s[4].bytes == 'd'.bytes
-      @controller.response_body.take(1)[0].to_s[5].bytes == '|'.bytes
-      @controller.response_body.take(3)[2].to_s[4].bytes == 'd'.bytes
-      @controller.response_body.take(3)[2].to_s[5].bytes == '|'.bytes
+      body = @controller.response_body.to_a
+      body.size.should == 4
+
+      body[0].to_s.strip.should == "Name,=cmd|' /C"
+      body[1].to_s.strip.should == "AB,Mr"
+      body[2].to_s.strip.should == "=cmd|' /C,-Pres"
+      body[3].to_s.strip.should == "@something,+Pres"
     end
   end
 
-end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: streamy_csv
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.2
 platform: ruby
 authors:
 - smsohan
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-08-02 00:00:00.000000000 Z
+date: 2017-09-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
@@ -39,7 +39,9 @@ files:
 - README.md
 - Rakefile
 - lib/streamy_csv.rb
+- lib/streamy_csv/injection_sanitizer.rb
 - lib/streamy_csv/version.rb
+- spec/lib/streamy_csv/injection_sanitizer_spec.rb
 - spec/streamy_csv_spec.rb
 - streamy_csv.gemspec
 homepage: https://github.com/smsohan/streamy_csv
@@ -61,10 +63,11 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.5
+rubygems_version: 2.5.2.1
 signing_key: 
 specification_version: 4
 summary: Provides a simple API for your controllers to stream CSV files one row at
   a time
 test_files:
+- spec/lib/streamy_csv/injection_sanitizer_spec.rb
 - spec/streamy_csv_spec.rb