mirror of
https://github.com/MarijnDoeve/TijdVoorDeTest.git
synced 2026-07-13 21:35:19 +02:00
Prevent formula injection in spreadsheet exports
Answer/candidate text starting with =, +, -, or @ was written to XLSX exports as a live formula rather than plain text. Since seasons can have multiple owners, a co-owner could plant a formula that runs (and can exfiltrate data) when another owner opens the export in Excel.
This commit is contained in:
@@ -0,0 +1,31 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace Tvdt\Helpers;
|
||||
|
||||
use PhpOffice\PhpSpreadsheet\Cell\Cell;
|
||||
use PhpOffice\PhpSpreadsheet\Cell\DefaultValueBinder;
|
||||
|
||||
/**
|
||||
* Stores any string that would otherwise be auto-detected as a spreadsheet formula (or that
|
||||
* spreadsheet software re-interprets as one on open/paste) as plain text instead, to prevent
|
||||
* formula injection via user-controlled export data (e.g. a candidate or answer named
|
||||
* `=WEBSERVICE(...)`).
|
||||
*/
|
||||
final class FormulaInjectionSafeValueBinder extends DefaultValueBinder
|
||||
{
|
||||
private const string DANGEROUS_PREFIXES = "=+-@\t\r";
|
||||
|
||||
#[\Override]
|
||||
public function bindValue(Cell $cell, mixed $value): bool
|
||||
{
|
||||
if (\is_string($value) && '' !== $value && str_contains(self::DANGEROUS_PREFIXES, $value[0])) {
|
||||
$cell->setValueExplicit($value);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
return parent::bindValue($cell, $value);
|
||||
}
|
||||
}
|
||||
@@ -5,6 +5,7 @@ declare(strict_types=1);
|
||||
namespace Tvdt\Service;
|
||||
|
||||
use Doctrine\ORM\EntityManagerInterface;
|
||||
use PhpOffice\PhpSpreadsheet\Cell\Cell;
|
||||
use PhpOffice\PhpSpreadsheet\Cell\Coordinate;
|
||||
use PhpOffice\PhpSpreadsheet\Spreadsheet;
|
||||
use PhpOffice\PhpSpreadsheet\Worksheet\Worksheet;
|
||||
@@ -19,6 +20,7 @@ use Tvdt\Entity\Quiz;
|
||||
use Tvdt\Entity\Season;
|
||||
use Tvdt\Entity\User;
|
||||
use Tvdt\Helpers\FilenameSanitizer;
|
||||
use Tvdt\Helpers\FormulaInjectionSafeValueBinder;
|
||||
use Tvdt\Repository\QuizRepository;
|
||||
|
||||
use function Safe\tempnam;
|
||||
@@ -31,7 +33,9 @@ class DataExportService
|
||||
private readonly EntityManagerInterface $entityManager,
|
||||
private readonly QuizSpreadsheetService $quizSpreadsheetService,
|
||||
private readonly QuizRepository $quizRepository,
|
||||
) {}
|
||||
) {
|
||||
Cell::setValueBinder(new FormulaInjectionSafeValueBinder());
|
||||
}
|
||||
|
||||
/** @throws FilesystemException @return string path to a temp zip file; caller is responsible for removing it */
|
||||
public function exportForUser(User $user): string
|
||||
|
||||
@@ -4,6 +4,7 @@ declare(strict_types=1);
|
||||
|
||||
namespace Tvdt\Service;
|
||||
|
||||
use PhpOffice\PhpSpreadsheet\Cell\Cell;
|
||||
use PhpOffice\PhpSpreadsheet\Cell\Coordinate;
|
||||
use PhpOffice\PhpSpreadsheet\Reader;
|
||||
use PhpOffice\PhpSpreadsheet\Spreadsheet;
|
||||
@@ -14,9 +15,15 @@ use Tvdt\Entity\Answer;
|
||||
use Tvdt\Entity\Question;
|
||||
use Tvdt\Entity\Quiz;
|
||||
use Tvdt\Exception\SpreadsheetDataException;
|
||||
use Tvdt\Helpers\FormulaInjectionSafeValueBinder;
|
||||
|
||||
class QuizSpreadsheetService
|
||||
{
|
||||
public function __construct()
|
||||
{
|
||||
Cell::setValueBinder(new FormulaInjectionSafeValueBinder());
|
||||
}
|
||||
|
||||
public function generateTemplate(bool $fillExample = true): \Closure
|
||||
{
|
||||
$quiz = new Quiz();
|
||||
|
||||
Reference in New Issue
Block a user