mui-x icon indicating copy to clipboard operation
mui-x copied to clipboard

Published 20 hours ago verified publisher icon mui

[data grid] Sanitize cells with formulas for CSV export used in Excel

Open cherniavskii opened this issue 1 year ago • 4 comments
trafficstars

Summary

https://groups.google.com/u/0/a/mui.com/g/security/c/L5bFSD3uwF8

Examples

No response

Motivation

No response

Search keywords: csv excel

cherniavskii avatar Jan 16 '24 14:01 cherniavskii

We could do this along with introducing a value getter/serializer which would also allow the users to customize the exported values on top of sanitization. Here's a related issue: https://github.com/mui/mui-x/issues/8193

MBilalShafi avatar Jan 16 '24 15:01 MBilalShafi

There seem to be a couple of opportunities to improve the CSV export features. I tried to rank these:

  1. It feels like we are missing callbacks for developers to customize the exports. For example, a callback for each CSV export cell, a callback for each Excel call, a flag to say if valueFormatter should be used or not per column, etc.

  2. We could have an opt-in flag to escape formulas by default. See: Screenshot 2024-01-16 at 17 03 55 http://georgemauer.net/2017/10/07/csv-injection.html

So for instance https://www.ag-grid.com/react-data-grid/csv-export/#security-concerns not being opt-in feels borderline.

Should this be opt-out? https://bughunters.google.com/learn/invalid-reports/google-products/4965108570390528/csv-formula-injection suggests that it shouldn't. CSV has other applications, we might not be able to make an escaping logic that doesn't break some other types of applications. I wouldn't be against trying, just don't know if it would work. The root problem is really Excel.

I can't find anyone who makes this opt-out and it's rare to even find CSV libraries who have an option for it, e.g. https://github.com/FasterXML/jackson-dataformats-text/issues/326#issuecomment-1230986329, but then this is very strange UX to me:

https://github.com/mui/mui-x/assets/3165635/664aaeda-52a5-4398-81da-5d8f8343722b

  1. It would be great to have interactive playground demos where developers can see the actual CSV exports https://mui.com/x/react-data-grid/export/#csv-export.
  2. I don't know about having the apiRef at the bottom of the page https://mui.com/x/react-data-grid/export/#apiref. Feel like this should be one per section (CSV, Excel, Print). I initially didn't realize how to use the CSV export. I mean, the whole page needs to be read right now, even if you are only interested in one of these 3 exports. This move could help.

oliviertassinari avatar Jan 16 '24 19:01 oliviertassinari

Good morning, I'm commenting on this issue to find out when a resolution is expected.

We have a dozen applications with a total of about fifty DataGridPremium instances, some of them have a lot of columns. An ad hoc resolution could be costly and complicated (to avoid duplication of escaping logic).

An opt-in/opt-out solution with a flag on the DataGridPremium component and/or single column would be ideal.

Thank you.

Mauro

Premium subscription Order ID: 47709

mauro-ni avatar May 13 '24 09:05 mauro-ni

Hi Mauro, I'm handling the community support this week, I'll look into it. You can expect a solution by the end of next week.

cherniavskii avatar May 13 '24 11:05 cherniavskii

:warning: This issue has been closed. If you have a similar problem but not exactly the same, please open a new issue. Now, if you have additional information related to this issue or things that could help future readers, feel free to leave a comment.

@cherniavskii: How did we do? Your experience with our support team matters to us. If you have a moment, please share your thoughts in this short Support Satisfaction survey.

github-actions[bot] avatar May 20 '24 09:05 github-actions[bot]