Validate CSV Separator by momo3404 · Pull Request #3569 · DMPRoadmap/roadmap
Navigation Menu
{{ message }}
DMPRoadmap / roadmap Public
- Notifications You must be signed in to change notification settings
- Fork 118
Merged
aaronskiba merged 2 commits intonext-release/v5.0.2from
Oct 6, 2025Merged
aaronskiba merged 2 commits intonext-release/v5.0.2from
aaronskiba merged 2 commits intonext-release/v5.0.2from
Conversation
Copy link Copy Markdown
Collaborator
momo3404
commented
Oct 6, 2025
momo3404
commented
Fixes CSV separators not being validated.
Changes proposed in this PR:
- Refactor the sep_param method in
usage_controllerto validate that the provided CSV field separator is a safe, predefined character. - This mitigates a CSV injection vulnerability where a crafted request such as
/usage_yearly_users?sep=%2c%3dcmd|' /C+powershell'!A0++pbiqh
could embed a malicious formula into the downloaded CSV. When opened in spreadsheet software (like Excel), it could trigger command execution under certain conditions.
momo3404 added 2 commits
October 6, 2025 12:05aaronskiba approved these changes Oct 6, 2025
aaronskiba
deleted the
momo/add-csv-separator
branch
aaronskiba
mentioned this pull request
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
2 participants