CSV Formula Injection?
33 views
Skip to first unread message
Robert Nicholson
May 20, 2020, 5:27:19 PM5/20/20
to jackson-user
Are there any CsvGenerator.Feature's that successfully prevent CSV Formula injection with Jackson.
So far I've noticed that using CsvGenerator.Feature.ALWAYS_QUOTE_STRINGS doesn't prevent this.
Tatu Saloranta
May 21, 2020, 1:44:06 AM5/21/20
to jackson-user
(link to an article or blog post would be fine)
-+ Tatu +-
>
> --
> You received this message because you are subscribed to the Google Groups "jackson-user" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/cce64cf5-f9ae-49a0-8c70-a054b0ea480c%40googlegroups.com.
Robert Nicholson
May 21, 2020, 8:49:41 AM5/21/20
to jackson-user
Tatu Saloranta
May 21, 2020, 12:31:05 PM5/21/20
to jackson-user
Worth requesting a feature for I think -- there is one for general
String modification hook:
https://github.com/FasterXML/jackson-core/issues/355
but that is for reader side. In this case it would need to be
pre-serialization hook for all String values.
And probably would make sense to start with CSV. Challenge whether
it's for one format or all is
that of defining API, I think, since this should probably be per-call
functionality (to be able to specify handler
for each call separately -- although maybe general handler, or factory
thereof, could work).
Most per-format and per-call configurability is currently in form of
on/off features, however, so alternative could
just be one more feature either in CsvGenerator.Feature, or within CsvSchema.
And... since there isn't really a safe way to escape such characters,
there may also be question of exactly what
to replace them with (if anything).
So. Someone needs to suggest specific addition(s). I assume other CSV
libraries have some support for handling this?
-+ Tatu +-
On Thu, May 21, 2020 at 5:49 AM Robert Nicholson
<robert.n...@gmail.com> wrote:
>
> https://groups.google.com/forum/m/#!topic/jackson-user/LE62ANfOGWw
String modification hook:
https://github.com/FasterXML/jackson-core/issues/355
but that is for reader side. In this case it would need to be
pre-serialization hook for all String values.
And probably would make sense to start with CSV. Challenge whether
it's for one format or all is
that of defining API, I think, since this should probably be per-call
functionality (to be able to specify handler
for each call separately -- although maybe general handler, or factory
thereof, could work).
Most per-format and per-call configurability is currently in form of
on/off features, however, so alternative could
just be one more feature either in CsvGenerator.Feature, or within CsvSchema.
And... since there isn't really a safe way to escape such characters,
there may also be question of exactly what
to replace them with (if anything).
So. Someone needs to suggest specific addition(s). I assume other CSV
libraries have some support for handling this?
-+ Tatu +-
On Thu, May 21, 2020 at 5:49 AM Robert Nicholson
<robert.n...@gmail.com> wrote:
>
> https://groups.google.com/forum/m/#!topic/jackson-user/LE62ANfOGWw
>
> --
> You received this message because you are subscribed to the Google Groups "jackson-user" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/27318618-00d1-49a9-8f62-63ad75a27266%40googlegroups.com.
> --
> You received this message because you are subscribed to the Google Groups "jackson-user" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages