[BUG] - Potential CSV Injections

[aakashshankar]

Description I see that you have a view called download_orders for the donor_dashboard app, which downloads orders of an organization into a CSV. The entries that get populated in this csv are not properly sanitized. I can craft a malicious food item like =DDE(\"cmd\";\"calc\";\"\")", which is interpreted by CSV readers (like MS Excel) to run arbitrary commands.

Steps to Reproduce Go to the Organizations tab, aka your "donor dashboard". Add a donation for an item like this, =DDE(\"cmd\";\"calc\";\"\") which is an excel formula that can run arbitrary commands on its host machine. Reserve this item so that it shows up on the organization's "Orders" tab. Download orders for this organization using the download_orders view. Open the CSV that's downloaded. (for 100% of windows users, that would be excel).

Expected Behavior Your inputs must be sanitized before you export it to CSV. Maybe something like,

def sanitize_csv_value(value):
    if value is None:
        return ""

    # Convert to string
    value = str(value)

    # List of potentially dangerous prefixes
    dangerous_prefixes = ['=', '+', '-', '@', '\t', '\n']

    # If value starts with any dangerous prefix, prepend a single quote
    if any(value.startswith(prefix) for prefix in dangerous_prefixes):
        value = f"'{value}"

    return value

Screenshots or Code Snippets (required)

Additional Context (optional) There wasn't any info in your testing doc about this functionality, so I decided to report this.

[maxgrove42]

This is actually a great find