security: fix CSV formula injection, CSS injection in report export engine

Copilot · hotlong · Copilot · commit 9ca5da4f2fdb · 2026-02-09T15:47:35.000Z
- Add sanitizeCSVValue() to prevent formula injection in CSV/Excel exports
- Add validatePageSize/validateOrientation to prevent CSS injection in HTML/PDF
- Whitelist-based validation for CSS values

Co-authored-by: hotlong &lt;50353452+hotlong@users.noreply.github.com&gt;
diff --git a/packages/plugin-report/src/ReportExportEngine.ts b/packages/plugin-report/src/ReportExportEngine.ts
@@ -20,7 +20,8 @@ export function exportAsCSV(report: ReportSchema, data: any[], config?: ReportEx
   const fields = report.fields || [];
   const headers = fields.map(f => f.label || f.name);
   const rows = data.map(row => fields.map(f => {
-    const val = row[f.name];
+    let val = row[f.name];
+    val = sanitizeCSVValue(val);
     // Escape CSV values
     if (typeof val === 'string' && (val.includes(',') || val.includes('"') || val.includes('\n'))) {
       return `"${val.replace(/"/g, '""')}"`;
@@ -55,15 +56,16 @@ export function exportAsJSON(report: ReportSchema, data: any[], config?: ReportE
  */
 export function exportAsHTML(report: ReportSchema, data: any[], config?: ReportExportConfig): void {
   const fields = report.fields || [];
-  const orientation = config?.orientation || 'portrait';
+  const orientation = validateOrientation(config?.orientation);
+  const pageSize = validatePageSize(config?.pageSize);
   
   const html = `<!DOCTYPE html>
 <html>
 <head>
 <meta charset="utf-8">
 <title>${escapeHTML(report.title || 'Report')}</title>
 <style>
-  @page { size: ${config?.pageSize || 'A4'} ${orientation}; margin: 20mm; }
+  @page { size: ${pageSize} ${orientation}; margin: 20mm; }
   body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; color: #333; }
   h1 { font-size: 24px; margin-bottom: 8px; }
   .description { color: #666; margin-bottom: 24px; }
@@ -93,7 +95,8 @@ ${report.description ? `<p class="description">${escapeHTML(report.description)}
  */
 export function exportAsPDF(report: ReportSchema, data: any[], config?: ReportExportConfig): void {
   const fields = report.fields || [];
-  const orientation = config?.orientation || 'portrait';
+  const orientation = validateOrientation(config?.orientation);
+  const pageSize = validatePageSize(config?.pageSize);
   
   const printWindow = window.open('', '_blank');
   if (!printWindow) {
@@ -113,7 +116,7 @@ export function exportAsPDF(report: ReportSchema, data: any[], config?: ReportEx
 <meta charset="utf-8">
 <title>${escapeHTML(report.title || 'Report')}</title>
 <style>
-  @page { size: ${config?.pageSize || 'A4'} ${orientation}; margin: 20mm; }
+  @page { size: ${pageSize} ${orientation}; margin: 20mm; }
   @media print { .no-print { display: none; } }
   body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; color: #333; }
   h1 { font-size: 24px; margin-bottom: 8px; }
@@ -149,7 +152,8 @@ export function exportAsExcel(report: ReportSchema, data: any[], config?: Report
   const fields = report.fields || [];
   const headers = fields.map(f => f.label || f.name);
   const rows = data.map(row => fields.map(f => {
-    const val = row[f.name];
+    let val = row[f.name];
+    val = sanitizeCSVValue(val);
     if (typeof val === 'string' && (val.includes(',') || val.includes('"') || val.includes('\n') || val.includes('\t'))) {
       return `"${val.replace(/"/g, '""')}"`;
     }
@@ -207,6 +211,35 @@ function escapeHTML(str: string): string {
     .replace(/'/g, '&#039;');
 }
 
+/**
+ * Sanitize CSV/Excel cell values to prevent formula injection.
+ * Prefixes values starting with formula characters (=, +, -, @, |) with a tab.
+ */
+function sanitizeCSVValue(val: any): any {
+  if (typeof val === 'string' && val.length > 0) {
+    const firstChar = val.charAt(0);
+    if (firstChar === '=' || firstChar === '+' || firstChar === '-' || firstChar === '@' || firstChar === '|') {
+      return `\t${val}`;
+    }
+  }
+  return val;
+}
+
+/**
+ * Validate page size against allowed values
+ */
+function validatePageSize(pageSize: string | undefined): string {
+  const allowed = ['A4', 'A3', 'Letter', 'Legal'];
+  return allowed.includes(pageSize || '') ? pageSize! : 'A4';
+}
+
+/**
+ * Validate orientation against allowed values
+ */
+function validateOrientation(orientation: string | undefined): string {
+  return orientation === 'landscape' ? 'landscape' : 'portrait';
+}
+
 /**
  * Helper to trigger file download
  */
