Content
View differences
Updated by Oliver Günther 15 days ago
**As** an adminstrator of OpenProject
**I want to** be able to restrict the export of CSV with control characters
**so that** users have to think less about security when dealing with these files
**Acceptance criteria**
* Add global settings page "Exports"
* Move work\_packages\_projects\_export\_limit setting into it
* Add new setting "Escape control characters in CSV"
* This setting is on by default
* If enabled, the setting will escape leading `= @ \t \r` characters, and leading `- +` escaped unless this number is deliberately exported as a number/currency (-5.00, -1.234,56 €
* Note: There is no official mitigation for CSV exports, so this setting will modify the export
* The technique we implement is noted by OWASP as one that may not survive Excel save-and-reopen. save-and-reopen.
* There are alternatives to this (e.g., entering a tab character at the beginning), but this will be more disruptive
**Technical notes**
* <br>
**References**
* https://owasp.org/www-project-web-security-testing-guide/latest/4-Web\_Application\_Security\_Testing/07-Input\_Validation\_Testing/21-Testing\_for\_CSV\_Injection
**Credits**
This feature was the result **Out of a security report with help from the following SHA club members. scope**
* [**@QwQP0**](https://github.com/QwQP0) - Finder / Analyst: helped identify and validate <br>
_Set the_ **To be informed/consulted teams** _field to include all teams necessary to be informed of the CSV formula injection attack surface.
* [**@dkstjwls06**](https://github.com/dkstjwls06) - Analyst: helped review the impact and reproduction evidence.
* [**@minnnjuuu**](https://github.com/minnnjuuu) - Analyst: helped verify the OpenProject export behavior. changes._
**I want to** be able to restrict the export of CSV with control characters
**so that** users have to think less about security when dealing with these files
**Acceptance criteria**
* Add global settings page "Exports"
* Move work\_packages\_projects\_export\_limit setting into it
* Add new setting "Escape control characters in CSV"
* This setting is on by default
* If enabled, the setting will escape leading `= @ \t \r` characters, and leading `- +` escaped unless this number is deliberately exported as a number/currency (-5.00, -1.234,56 €
* Note: There is no official mitigation for CSV exports, so this setting will modify the export
* The technique we implement is noted by OWASP as one that may not survive Excel save-and-reopen.
* There are alternatives to this (e.g., entering a tab character at the beginning), but this will be more disruptive
* <br>
**References**
* https://owasp.org/www-project-web-security-testing-guide/latest/4-Web\_Application\_Security\_Testing/07-Input\_Validation\_Testing/21-Testing\_for\_CSV\_Injection
**Credits**
This feature was the result
* [**@QwQP0**](https://github.com/QwQP0) - Finder / Analyst: helped identify and validate
_Set the_ **To be informed/consulted teams** _field to include all teams necessary to be informed of
* [**@dkstjwls06**](https://github.com/dkstjwls06) - Analyst: helped review the impact and reproduction evidence.
* [**@minnnjuuu**](https://github.com/minnnjuuu) - Analyst: helped verify the OpenProject export behavior.