While avoiding CEMI can be done by the caller by modifying the text before encoding, having such protection built into cassava would be very useful as in many (most?) cases one is not intending to produce macros. Disabling macros for the entire CSV file is easier to make secure.
Perhaps a new field of EncodeOptions
disableMacros :: !Bool
When set any field starting with =, +, -, or @ would get an additional single quote prefixed to the field. Note this single quote is applied before usual quoting so the text
=MIGHT_BE_A_MACRO("hi there")
becomes
"'=MIGHT_BE_A_MACRO(""hi there"")"
In order to preserve the ability to round-trip data, a similar option could be added to DecodeOptions which would then remove any single quote at the start of a field if followed by those same special chars.
If there is interest in baking this into cassava, I can work on the PR.
We also recently needed this and I think it deserves a new SafeQuoteAll or similar. I'll likely fork this soon to add this change, not sure if there's interest in putting it in Cassava or not.
OWASP describes CSV Excel Macro Injection (CEMI) vulnerability here: https://www.owasp.org/index.php/CSV_Excel_Macro_Injection
While avoiding CEMI can be done by the caller by modifying the text before encoding, having such protection built into cassava would be very useful as in many (most?) cases one is not intending to produce macros. Disabling macros for the entire CSV file is easier to make secure.
Perhaps a new field of EncodeOptions disableMacros :: !Bool
When set any field starting with =, +, -, or @ would get an additional single quote prefixed to the field. Note this single quote is applied before usual quoting so the text
=MIGHT_BE_A_MACRO("hi there")
becomes"'=MIGHT_BE_A_MACRO(""hi there"")"
In order to preserve the ability to round-trip data, a similar option could be added to DecodeOptions which would then remove any single quote at the start of a field if followed by those same special chars.
If there is interest in baking this into cassava, I can work on the PR.