Skip to content

[BUG] CSV export is vulnerable to formula injection (CSV/Excel injection) #3116

Description

@IshitaSingh0822

Bug Description

src/lib/csv.ts (csvCell/toCsv) only escapes commas, quotes, and newlines. It does not neutralize leading =, +, -, or @ characters. This CSV is used in GET /api/user/export for contributions.csv. If any exported field (e.g. a repo name, goal title) begins with one of these characters, opening the file in Excel or Google Sheets can execute it as a formula — a well-known CSV injection vector (CWE-1236).

Steps to Reproduce

  1. Create a goal or otherwise get a user-controlled string field starting with = (e.g. =1+1 or =HYPERLINK(...)) into exportable data.
  2. Trigger GET /api/user/export.
  3. Open the resulting contributions.csv in Excel/Google Sheets — the formula executes instead of displaying as text.

Affected Area

API Routes

Screenshots

NA

Browser & OS

No response

Environment

Both

Additional Context

Fix is to prefix cell values starting with =, +, -, @, tab, or CR with a single quote ' before quoting, per OWASP CSV injection guidance.

I want to work on this under GSSoC
/assign

Metadata

Metadata

Labels

bugSomething isn't workinggssoc:assignedGSSoC: Issue assigned to a contributorneeds-triageNeeds maintainer triage

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions