mirror of
https://github.com/Part-DB/Part-DB-server.git
synced 2026-07-15 22:01:45 +00:00
Prevent formula injection into XLSX export
This commit is contained in:
parent
f53f77f6dc
commit
5110915de2
2 changed files with 29 additions and 2 deletions
|
|
@ -101,6 +101,28 @@ final class EntityExporterTest extends WebTestCase
|
|||
unlink($tempFile);
|
||||
}
|
||||
|
||||
public function testExportExcelFormulaInjectionPrevention(): void
|
||||
{
|
||||
// Values starting with formula characters must be stored as plain strings, not evaluated formulas
|
||||
$entity = (new Category())->setName('=1+1')->setComment('@SUM(A1)');
|
||||
|
||||
$xlsxData = $this->service->exportEntities([$entity], ['format' => 'xlsx', 'level' => 'simple']);
|
||||
$this->assertNotEmpty($xlsxData);
|
||||
|
||||
$tempFile = tempnam(sys_get_temp_dir(), 'test_formula') . '.xlsx';
|
||||
file_put_contents($tempFile, $xlsxData);
|
||||
|
||||
$spreadsheet = IOFactory::load($tempFile);
|
||||
$worksheet = $spreadsheet->getActiveSheet();
|
||||
|
||||
// The formula-prefixed name must be stored as a plain string, not a formula
|
||||
$cell = $worksheet->getCell('A2');
|
||||
$this->assertSame(\PhpOffice\PhpSpreadsheet\Cell\DataType::TYPE_STRING, $cell->getDataType());
|
||||
$this->assertSame('=1+1', $cell->getValue());
|
||||
|
||||
unlink($tempFile);
|
||||
}
|
||||
|
||||
public function testExportExcelFromRequest(): void
|
||||
{
|
||||
$entities = $this->getEntities();
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue