Prevent CSV Injection

[johnnyoshika]

Background Information

• Fixes issue(s): Prevent CSV Injection #209
• Proposed release version: 3.15.0

I have...

• added at least one test to verify the failure condition is fixed.
• verified the tests are passing.

Changes

Adds preventCsvInjection option to json2csv() that left trims the following characters to prevent CSV injection:

• Equals (=)
• Plus (+)
• Minus (-)
• At (@)
• Tab (0x09)
• Carriage return (0x0D)

CSV Injection remediation technique: https://owasp.org/www-community/attacks/CSV_Injection

[johnnyoshika]

Looks like the build failed due to indentation problems. Will fix.

[coveralls]

Coverage decreased (-0.2%) to 98.039% when pulling 91ef353 on examind-ai:csv-injection into b7615ce on mrodrig:stable.

[coveralls]

Coverage decreased (-0.2%) to 98.039% when pulling 616cc87 on examind-ai:csv-injection into b7615ce on mrodrig:stable.

[mrodrig]

Thanks for reporting this and for the pull request @johnnyoshika! This looks great and is an excellent option to have. Given that this provides important security protections, I think this would be a good option to have enabled by default in a future major release (eg. 4.0.0). I'll get this merged in and released out to NPM along with the latest npm audit fixes.

Thanks again!

[johnnyoshika]

@mrodrig Thank you for this great library and thank you for the merge. I would caution against enabling preventCsvInjection by default, as it changes the content of the CSV and could be an unexpected behavior of this library. I was hoping there would be a way to prevent CSV injection without impacting the content, but sadly there doesn't seem to be a way. Because of that, I think preventCsvInjection should be opt-in, but you would be the best judge of that.