diff --git a/Gemfile b/Gemfile index eeecf40da..ff0d4e53a 100644 --- a/Gemfile +++ b/Gemfile @@ -39,6 +39,8 @@ gem 'rack-attack' gem 'down', '~> 5.0' # authentication type to fetch and send mail over oauth2.0 gem 'gmail_xoauth' +# Prevent CSV injection +gem 'csv-safe' ##-- for active storage --## gem 'aws-sdk-s3', require: false diff --git a/Gemfile.lock b/Gemfile.lock index ca78c7340..28889bcf0 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -141,6 +141,7 @@ GEM crack (0.4.5) rexml crass (1.0.6) + csv-safe (3.1.1) cypress-on-rails (1.13.1) rack database_cleaner (2.0.1) @@ -752,6 +753,7 @@ DEPENDENCIES byebug climate_control commonmarker + csv-safe cypress-on-rails (~> 1.13, >= 1.13.1) database_cleaner ddtrace diff --git a/app/views/api/v2/accounts/reports/agents.csv.erb b/app/views/api/v2/accounts/reports/agents.csv.erb index bed88dfd7..99dbacd38 100644 --- a/app/views/api/v2/accounts/reports/agents.csv.erb +++ b/app/views/api/v2/accounts/reports/agents.csv.erb @@ -5,8 +5,8 @@ I18n.t('reports.agent_csv.avg_resolution_time') ] %> -<%= CSV.generate_line headers -%> +<%= CSVSafe.generate_line headers -%> <% @report_data.each do |row| %> -<%= CSV.generate_line row -%> +<%= CSVSafe.generate_line row -%> <% end %> -<%= CSV.generate_line [I18n.t('reports.period', since: Date.strptime(params[:since], '%s'), until: Date.strptime(params[:until], '%s'))] %> +<%= CSVSafe.generate_line [I18n.t('reports.period', since: Date.strptime(params[:since], '%s'), until: Date.strptime(params[:until], '%s'))] %> diff --git a/app/views/api/v2/accounts/reports/inboxes.csv.erb b/app/views/api/v2/accounts/reports/inboxes.csv.erb index 89b3b1182..e6466cf01 100644 --- a/app/views/api/v2/accounts/reports/inboxes.csv.erb +++ b/app/views/api/v2/accounts/reports/inboxes.csv.erb @@ -6,8 +6,8 @@ I18n.t('reports.inbox_csv.avg_resolution_time') ] %> -<%= CSV.generate_line headers -%> +<%= CSVSafe.generate_line headers -%> <% @report_data.each do |row| %> -<%= CSV.generate_line row -%> +<%= CSVSafe.generate_line row -%> <% end %> -<%= CSV.generate_line [I18n.t('reports.period', since: Date.strptime(params[:since], '%s'), until: Date.strptime(params[:until], '%s'))] %> +<%= CSVSafe.generate_line [I18n.t('reports.period', since: Date.strptime(params[:since], '%s'), until: Date.strptime(params[:until], '%s'))] %> diff --git a/app/views/api/v2/accounts/reports/labels.csv.erb b/app/views/api/v2/accounts/reports/labels.csv.erb index 9fd0a9cc5..5da742790 100644 --- a/app/views/api/v2/accounts/reports/labels.csv.erb +++ b/app/views/api/v2/accounts/reports/labels.csv.erb @@ -5,8 +5,8 @@ I18n.t('reports.label_csv.avg_resolution_time') ] %> -<%= CSV.generate_line headers -%> +<%= CSVSafe.generate_line headers -%> <% @report_data.each do |row| %> -<%= CSV.generate_line row -%> +<%= CSVSafe.generate_line row -%> <% end %> -<%= CSV.generate_line [I18n.t('reports.period', since: Date.strptime(params[:since], '%s'), until: Date.strptime(params[:until], '%s'))] %> +<%= CSVSafe.generate_line [I18n.t('reports.period', since: Date.strptime(params[:since], '%s'), until: Date.strptime(params[:until], '%s'))] %> diff --git a/app/views/api/v2/accounts/reports/teams.csv.erb b/app/views/api/v2/accounts/reports/teams.csv.erb index e50e195bd..d9ae31dfa 100644 --- a/app/views/api/v2/accounts/reports/teams.csv.erb +++ b/app/views/api/v2/accounts/reports/teams.csv.erb @@ -5,8 +5,8 @@ I18n.t('reports.team_csv.avg_resolution_time') ] %> -<%= CSV.generate_line headers -%> +<%= CSVSafe.generate_line headers -%> <% @report_data.each do |row| %> -<%= CSV.generate_line row -%> +<%= CSVSafe.generate_line row -%> <% end %> -<%= CSV.generate_line [I18n.t('reports.period', since: Date.strptime(params[:since], '%s'), until: Date.strptime(params[:until], '%s'))] %> +<%= CSVSafe.generate_line [I18n.t('reports.period', since: Date.strptime(params[:since], '%s'), until: Date.strptime(params[:until], '%s'))] %>