Is your feature request related to a problem? Please describe.
Rails admin can allow CSV Injection (https://owasp.org/www-community/attacks/CSV_Injection) by putting malicious commands from inputs or data models in the Rails application into a CSV file. The end result is that a malicious and savvy user could exploit an admin user's downloaded CSV to trigger commands on the admin user's machine. Lots of potential for damage there!
One example that can be tried (this will open a calculator on a windows machine) -
=cmd|'/C calc.exe'!Z0
Describe proposed solution(s)
In our application, we implemented csv-safe which has some simple sanitization rules. The same code could be added to rails_admin CSV generation to resolve this issue
Is your feature request related to a problem? Please describe. Rails admin can allow CSV Injection (https://owasp.org/www-community/attacks/CSV_Injection) by putting malicious commands from inputs or data models in the Rails application into a CSV file. The end result is that a malicious and savvy user could exploit an admin user's downloaded CSV to trigger commands on the admin user's machine. Lots of potential for damage there!
One example that can be tried (this will open a calculator on a windows machine) -
Describe proposed solution(s) In our application, we implemented csv-safe which has some simple sanitization rules. The same code could be added to rails_admin CSV generation to resolve this issue
Additional context N/A