Apply field Validation on Subject & Description fields
I have a requirement to apply field Validation on the Subject & Description fields. those filed are default fields and not custom filed. Please, someone, help to fulfill this requirement. Thanks in advance.
RE: Apply field Validation on Subject & Description fields -Block CSV Injection - Added by Amirthalingam N 2 months ago
I got solution for this issue.
When a spreadsheet program such as Excel or LibreOffice Calc is used to open a CSV/XLS/XLSX, any cells starting with =, +, -, @ will be interpreted by the software as a formula. Maliciously crafted formulas can be used for multiple attacks: Executing client-side system commands Exploiting known vulnerabilities in spreadsheets software Exfiltrating the contents of the spreadsheet to an external source
It was observed that an user can add subject and description of an issue that can contain malicious spreadsheet formulas, those formulas will be executed through the client-side which exports the objects through a CSV file and XSLX
1. Add a issue with the subject name:
3. Export the CSV file
4. Open the CSV locally, you will see a cell with the following payload:
“Click here”, and if clicked, you will be redirected to
to <sample site>
The best way to mitigate against this type of issue is to make sure all user inputs are filtered so only expected characters are allowed. To mitigate against CSV injections, a default-deny regular expression or “whitelist” regular
Code Changes for field validation: ==================================
Fine Name:= \models\issue.rb
line no: 68
You can edit regular expressions as per your requirements
#added for subject and ddescription validation to avoid CSV injection
validates_format_of :subject, with: /\A[a-zA-Z0-9\s_.-]+\Z/, :message => "not valid. special characters are not allowed"
validates_format_of :description, with: /\A[a-zA-Z0-9\s_.-;:,]+\Z/, :message => "not valid. Some special characters are not allowed"