json-2-csv
Advanced tools
Comparing version 3.14.4 to 3.15.0
@@ -39,3 +39,4 @@ { | ||
"parseValue": null, | ||
"wrapBooleans": false | ||
"wrapBooleans": false, | ||
"preventCsvInjection": false | ||
}, | ||
@@ -42,0 +43,0 @@ |
@@ -50,2 +50,9 @@ export interface ISharedOptions { | ||
trimFieldValues?: boolean; | ||
/** | ||
* Should CSV injection be prevented by left trimming these characters: | ||
* Equals (=), Plus (+), Minus (-), At (@), Tab (0x09), Carriage return (0x0D). | ||
* @default false | ||
*/ | ||
preventCsvInjection?: boolean; | ||
} | ||
@@ -106,2 +113,8 @@ | ||
excludeKeys?: string[]; | ||
/** | ||
* Specify how values should be converted into CSV format. This function is provided a single field value at a time and must return a `String`. | ||
* Note: Using this option may override other options, including `useDateIso8601Format` and `useLocaleFormat`. | ||
*/ | ||
parseValue?: (fieldValue: any) => string; | ||
} | ||
@@ -108,0 +121,0 @@ |
@@ -255,2 +255,3 @@ 'use strict'; | ||
fieldValue = valueParserFn(fieldValue); | ||
fieldValue = preventCsvInjection(fieldValue); | ||
fieldValue = wrapFieldValueIfNecessary(fieldValue); | ||
@@ -349,2 +350,22 @@ | ||
/** | ||
* Prevent CSV injection on strings if specified by the user's provided options. | ||
* Mitigation will be done by ensuring that the first character doesn't being with: | ||
* Equals (=), Plus (+), Minus (-), At (@), Tab (0x09), Carriage return (0x0D). | ||
* More info: https://owasp.org/www-community/attacks/CSV_Injection | ||
* @param fieldValue | ||
* @returns {*} | ||
*/ | ||
function preventCsvInjection(fieldValue) { | ||
if (options.preventCsvInjection) { | ||
if (Array.isArray(fieldValue)) { | ||
return fieldValue.map(preventCsvInjection); | ||
} else if (utils.isString(fieldValue) && !utils.isNumber(fieldValue)) { | ||
return fieldValue.replace(/^[=+\-@\t\r]+/g, ''); | ||
} | ||
return fieldValue; | ||
} | ||
return fieldValue; | ||
} | ||
/** | ||
* Escapes quotation marks in the field value, if necessary, and appropriately | ||
@@ -351,0 +372,0 @@ * wraps the record field value if it contains a comma (field delimiter), |
@@ -20,2 +20,3 @@ 'use strict'; | ||
isInvalid, | ||
isNumber, | ||
@@ -252,2 +253,11 @@ // underscore replacements: | ||
/** | ||
* Checks whether value can be converted to a number | ||
* @param value {String} | ||
* @returns {boolean} | ||
*/ | ||
function isNumber(value) { | ||
return !isNaN(Number(value)); | ||
} | ||
/* | ||
@@ -254,0 +264,0 @@ * Helper functions which were created to remove underscorejs from this package. |
@@ -8,3 +8,3 @@ { | ||
"description": "A JSON to CSV and CSV to JSON converter that natively supports sub-documents and auto-generates the CSV heading.", | ||
"version": "3.14.4", | ||
"version": "3.15.0", | ||
"homepage": "https://mrodrig.github.io/json-2-csv", | ||
@@ -47,6 +47,6 @@ "repository": { | ||
"devDependencies": { | ||
"babel-eslint": "10.1.0", | ||
"@babel/eslint-parser": "7.16.5", | ||
"coveralls": "3.1.0", | ||
"eslint": "7.14.0", | ||
"mocha": "8.2.1", | ||
"eslint": "8.4.1", | ||
"mocha": "9.1.3", | ||
"nyc": "15.1.0", | ||
@@ -53,0 +53,0 @@ "should": "13.2.3", |
@@ -143,2 +143,4 @@ # json-2-csv | ||
* Default: `false` | ||
* `preventCsvInjection` - Boolean - Should CSV injection be prevented by left trimming these characters: Equals (=), Plus (+), Minus (-), At (@), Tab (0x09), Carriage return (0x0D). | ||
* Default: `false` | ||
@@ -145,0 +147,0 @@ |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
68491
1252
273