Skip to content

[codex] Neutralize CSV formula injection#227

Open
pq198363-ops wants to merge 1 commit into
Agentpay-Org:mainfrom
pq198363-ops:bounty-52-csv-formula-injection
Open

[codex] Neutralize CSV formula injection#227
pq198363-ops wants to merge 1 commit into
Agentpay-Org:mainfrom
pq198363-ops:bounty-52-csv-formula-injection

Conversation

@pq198363-ops

Copy link
Copy Markdown

Closes #52

Summary

  • Added escapeCsvField to neutralize spreadsheet formula prefixes in dynamic CSV fields.
  • CSV agent and serviceId values that start with =, +, -, @, tab, or carriage return now get a leading apostrophe before CSV quoting.
  • Preserved the existing quote/comma/newline escaping behavior and left JSON exports unchanged.
  • Added focused regression tests and a short security note for CSV export behavior.

Validation

RED evidence:

  • npm run build initially failed because src/csv-injection.test.ts imported missing escapeCsvField.

GREEN evidence:

  • npm run build
  • $env:NODE_ENV='test'; node --test dist/csv-injection.test.js
  • npx prettier --check README.md docs/security.md src/routes/usage.ts src/csv-injection.test.ts
  • npm run lint
  • git diff --check
  • Cleaned dist/, then ran npm run build
  • Windows test command: $env:NODE_ENV='test'; node --test dist/*.test.js dist/**/*.test.js

Result: full clean test run passed, 91 tests across 11 suites.

Notes

This only changes the CSV export path. GET /api/v1/usage/export.json still returns the original raw values because JSON consumers do not interpret those strings as spreadsheet formulas.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Prevent CSV formula injection in the usage export

1 participant