57dbd14347
Authenticated red-team users could craft any user-controlled string field (name, description, commands, prerequisites, execution_result, log_source, logs, soc_comment, incident_number, MITRE technique IDs) starting with =, +, -, @, \t or \r. When the SOC analyst opens the exported CSV in Excel / LibreOffice / Google Sheets — explicitly the consumption flow this sprint optimizes for — the spreadsheet executes the field as a formula on the SOC's machine. Fix: new helper _csv_safe() prefixes a single apostrophe to any string starting with a formula-trigger character, forcing the spreadsheet to render the cell as text. Applied to every user-controlled field in render_engagement_csv. Numeric and ISO-date fields are not wrapped. Tests: - test_render_engagement_csv_escapes_formula_injection_in_name - test_render_engagement_csv_escapes_formula_injection_in_commands - test_render_engagement_csv_does_not_alter_safe_strings Result: 249 → 252 passing (the 1 remaining failure is pre-existing test_index_without_built_frontend_returns_json, unrelated to this fix). Flagged by security-guidance@claude-code-plugins automated review.
8.9 KiB
8.9 KiB