SORMAS-Foundation#2990 Add custom CSVWriter implementation to sanitize formula pattern (SORMAS-Foundation#3299)

* SORMAS-Foundation#2990 Add custom CSVWriter implementation to sanitize formula pattern

* SORMAS-Foundation#2990 Highlighting code changes from original version

Author: vidi42

sormas-api/src/main/java/de/symeda/sormas/api/utils/CSVUtils.java

@@ -17,8 +17,10 @@
  *******************************************************************************/
 package de.symeda.sormas.api.utils;
 
+import java.io.IOException;
 import java.io.Reader;
 import java.io.Writer;
+import java.util.regex.Pattern;
 
 import com.opencsv.CSVParserBuilder;
 import com.opencsv.CSVReader;
@@ -44,7 +46,71 @@ public static CSVReader createCSVReader(Reader reader, char separator, LineValid
 	}
 
 	public static CSVWriter createCSVWriter(Writer writer, char separator) {
-		return new CSVWriter(writer, separator, CSVWriter.DEFAULT_QUOTE_CHARACTER, CSVWriter.DEFAULT_ESCAPE_CHARACTER, CSVWriter.DEFAULT_LINE_END);
+		return new SafeCSVWriter(writer, separator, CSVWriter.DEFAULT_QUOTE_CHARACTER, CSVWriter.DEFAULT_ESCAPE_CHARACTER, CSVWriter.DEFAULT_LINE_END);
 	}
 
+	/**
+	 * Extension of the {@link CSVWriter} which sanitizes each element of the CSV to prevent CSV Injection.
+	 * Implementation based on version 5.3 of opencsv.
+	 * 
+	 * @see <a href="https://owasp.org/www-community/attacks/CSV_Injection">CSV Injection</a>
+	 */
+	public static class SafeCSVWriter extends CSVWriter {
+
+		private static final String FORMULA_PREFIX = "'";
+
+		private final Pattern formulaPattern = Pattern.compile("(?s)^[+=@-].*", Pattern.MULTILINE);
+
+		public SafeCSVWriter(Writer writer, char separator, char quotechar, char escapechar, String lineEnd) {
+			super(writer, separator, quotechar, escapechar, lineEnd);
+		}
+
+		@Override
+		public void writeNext(String[] nextLine, boolean applyQuotesToAll, Appendable appendable) throws IOException {
+			if (nextLine == null) {
+				return;
+			}
+
+			for (int i = 0; i < nextLine.length; i++) {
+
+				if (i != 0) {
+					appendable.append(separator);
+				}
+
+				String nextElement = nextLine[i];
+
+				if (nextElement == null) {
+					continue;
+				}
+
+				Boolean stringContainsSpecialCharacters = stringContainsSpecialCharacters(nextElement);
+
+				appendQuoteCharacterIfNeeded(applyQuotesToAll, appendable, stringContainsSpecialCharacters);
+
+				// begin code change from parent code
+				if(formulaPattern.matcher(nextElement).matches()) {
+					appendable.append(FORMULA_PREFIX);
+				}
+				// end
+
+				if (stringContainsSpecialCharacters) {
+					processLine(nextElement, appendable);
+				} else {
+					appendable.append(nextElement);
+				}
+
+				appendQuoteCharacterIfNeeded(applyQuotesToAll, appendable, stringContainsSpecialCharacters);
+			}
+
+			appendable.append(lineEnd);
+			writer.write(appendable.toString());
+		}
+
+		// Copied from the parent class since it's access modifier was private
+		private void appendQuoteCharacterIfNeeded(boolean applyQuotesToAll, Appendable appendable, Boolean stringContainsSpecialCharacters) throws IOException {
+			if ((applyQuotesToAll || stringContainsSpecialCharacters) && quotechar != NO_QUOTE_CHARACTER) {
+				appendable.append(quotechar);
+			}
+		}
+	}
 }

sormas-api/src/test/java/de/symeda/sormas/api/utils/CSVUtilsTest.java

@@ -0,0 +1,87 @@
+/*
+ * SORMAS® - Surveillance Outbreak Response Management & Analysis System
+ * Copyright © 2016-2020 Helmholtz-Zentrum für Infektionsforschung GmbH (HZI)
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package de.symeda.sormas.api.utils;
+
+import com.opencsv.CSVWriter;
+import org.junit.Test;
+
+import java.io.BufferedWriter;
+import java.io.IOException;
+import java.io.StringWriter;
+
+import static org.junit.Assert.assertEquals;
+
+/**
+ * @author Alex Vidrean
+ * @since 26-Oct-20
+ */
+public class CSVUtilsTest {
+
+	@Test
+	public void testCSVFormulaInjectionPreventionSingleLine() throws IOException {
+
+		String[] line = new String[] {
+			"text",
+			"=today()",
+			"=1+1",
+			"+2-1",
+			"-1-1",
+			"@sum(1+9)" };
+
+		StringWriter sw = new StringWriter();
+		BufferedWriter bw = new BufferedWriter(sw);
+
+		CSVWriter csvWriter = CSVUtils.createCSVWriter(bw, ',');
+		csvWriter.writeNext(line);
+		csvWriter.flush();
+
+		String string = sw.toString();
+		String expectedString = "\"text\",\"'=today()\",\"'=1+1\",\"'+2-1\",\"'-1-1\",\"'@sum(1+9)\"" + CSVWriter.DEFAULT_LINE_END;
+
+		assertEquals(expectedString, string);
+
+	}
+
+	@Test
+	public void testCSVFormulaInjectionMultipleLines() throws IOException {
+
+		String[] firstLine = new String[] {
+			"1+2",
+			"now=today",
+			"to-from",
+			"[email protected]" };
+		String[] secondLine = new String[] {
+			"=DATE(1,1,1)",
+			"@VALUE(\"2\")",
+			"+CONCAT(\"test\",\n\"test2\")",
+			"-5*5" };
+
+		StringWriter sw = new StringWriter();
+		BufferedWriter bw = new BufferedWriter(sw);
+
+		CSVWriter csvWriter = CSVUtils.createCSVWriter(bw, ',');
+		csvWriter.writeNext(firstLine);
+		csvWriter.writeNext(secondLine);
+		csvWriter.flush();
+
+		String string = sw.toString();
+		String expectedString = "\"1+2\",\"now=today\",\"to-from\",\"[email protected]\"" + CSVWriter.DEFAULT_LINE_END
+			+ "\"'=DATE(1,1,1)\",\"'@VALUE(\"\"2\"\")\",\"'+CONCAT(\"\"test\"\",\n\"\"test2\"\")\",\"'-5*5\"" + CSVWriter.DEFAULT_LINE_END;
+
+		assertEquals(expectedString, string);
+	}
+
+}

sormas-base/pom.xml

@@ -387,7 +387,7 @@
 			<dependency>
 				<groupId>com.opencsv</groupId>
 				<artifactId>opencsv</artifactId>
-				<version>5.2</version>
+				<version>5.3</version>
 			</dependency>
 
 			<dependency>