codeant-ai-for-open-source[bot] commented on code in PR #40195:
URL: https://github.com/apache/superset/pull/40195#discussion_r3562896102


##########
superset/utils/csv.py:
##########
@@ -27,18 +26,37 @@
 
 logger = logging.getLogger(__name__)
 
-negative_number_re = re.compile(r"^-[0-9.]+$")
+PROBLEMATIC_CSV_PREFIXES = "-@+|=%"
 
-# This regex will match if the string starts with:
-#
-#     1. one of -, @, +, |, =, %, a tab, or a carriage return
-#     2. two double quotes immediately followed by one of -, @, +, |, =, %
-#     3. one or more spaces immediately followed by one of -, @, +, |, =, %
-#
-# A leading tab or carriage return is treated as dangerous on its own because
-# some spreadsheet software trims that leading whitespace and then evaluates
-# the remaining cell content as a formula.
-problematic_chars_re = 
re.compile(r'^(?:"{2}|\s{1,})(?=[\-@+|=%])|^[\-@+|=%\t\r]')
+
+def _starts_with_formula_prefix(value: str) -> bool:
+    first = value[0]
+    if first in PROBLEMATIC_CSV_PREFIXES:
+        return True
+    if first == '"' and len(value) > 2:
+        return value[1] == '"' and value[2] in PROBLEMATIC_CSV_PREFIXES
+    return False
+
+
+def _starts_like_spreadsheet_formula(value: str) -> bool:
+    # A leading tab or carriage return is treated as dangerous on its own
+    # because some spreadsheet software trims that leading whitespace and
+    # then evaluates the remaining cell content as a formula.
+    first = value[0]
+    if first in ("\t", "\r"):
+        return True
+    if first.isspace():
+        stripped = value.lstrip()
+        return bool(stripped) and _starts_with_formula_prefix(stripped)
+    return _starts_with_formula_prefix(value)
+
+
+def _is_negative_number(value: str) -> bool:
+    return (
+        len(value) > 1
+        and value[0] == "-"
+        and all("0" <= character <= "9" or character == "." for character in 
value[1:])
+    )

Review Comment:
   **Suggestion:** The negative-number guard is too permissive: it treats any 
`-` string made only of digits and dots as numeric, so malformed inputs like 
`-.`, `-..`, or `-1.2.3` bypass escaping. Because `-` is a dangerous 
spreadsheet prefix, these malformed values should still be escaped; tighten the 
numeric check to a valid decimal format (for example, require at least one 
digit and at most one decimal point). [security]
   
   <details>
   <summary><b>Severity Level:</b> Major ⚠️</summary>
   
   ```mdx
   - ❌ SQL Lab CSV export leaves malformed negatives unescaped.
   - ❌ Chart CSV export paths share same misclassification risk.
   - ⚠️ Viz CSV exports may emit unsafe minus-prefixed values.
   ```
   </details>
   <details>
   <summary><b>Steps of Reproduction ✅ </b></summary>
   
   ```mdx
   1. In SQL Lab, run a query whose result includes a text column containing a 
value like
   `-.` (this value will be part of the DataFrame used for CSV export via
   `superset/commands/sql_lab/export.py:134` which calls 
`csv.df_to_escaped_csv(df, ...)`).
   
   2. From SQL Lab, click the "Download to CSV" action so the export command at
   `superset/commands/sql_lab/export.py:134` invokes `csv.df_to_escaped_csv()` 
in
   `superset/utils/csv.py:87-107`, which applies `escape_value()` to every 
string cell and
   header.
   
   3. During export, `escape_value("-.")` executes in 
`superset/utils/csv.py:62-84`;
   `_starts_like_spreadsheet_formula("-.")` returns True because `"-"` is in
   `PROBLEMATIC_CSV_PREFIXES` checked by `_starts_with_formula_prefix()` at
   `superset/utils/csv.py:29-38`, and `_is_negative_number("-.")` returns True 
due to the
   permissive digit-or-dot check at `superset/utils/csv.py:54-59` (accepts any 
sequence of
   digits and dots after the leading `-`).
   
   4. Because the guard `if _starts_like_spreadsheet_formula(value) and not
   _is_negative_number(value):` at `superset/utils/csv.py:71` sees
   `_is_negative_number("-.")` as True, the condition is False, so the cell 
`-.` is written
   to the CSV without a leading quote or pipe escaping; this minus-prefixed, 
non-numeric
   value bypasses the intended spreadsheet formula escaping in all CSV export 
paths that use
   `df_to_escaped_csv()` (viz exports in `superset/viz.py:733`, chart CSVs in
   `superset/common/query_context_processor.py:270` and
   `superset/charts/client_processing.py:401`, and SQL Lab exports in
   `superset/commands/sql_lab/export.py:134`).
   ```
   </details>
   
   [![Fix in 
Cursor](https://new-codeant-butcket.s3.us-west-1.amazonaws.com/badges/fix-in-cursor-flat.svg)](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt_id=807968fb2f6747bca085ed3611bb1c44&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
 [![Fix in VSCode 
Claude](https://new-codeant-butcket.s3.us-west-1.amazonaws.com/badges/fix-in-vscode-claude-flat.svg)](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt_id=807968fb2f6747bca085ed3611bb1c44&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
   
   *(Use Cmd/Ctrl + Click for best experience)*
   <details>
   <summary><b>Prompt for AI Agent 🤖 </b></summary>
   
   ```mdx
   This is a comment left during a code review.
   
   **Path:** superset/utils/csv.py
   **Line:** 54:59
   **Comment:**
        *Security: The negative-number guard is too permissive: it treats any 
`-` string made only of digits and dots as numeric, so malformed inputs like 
`-.`, `-..`, or `-1.2.3` bypass escaping. Because `-` is a dangerous 
spreadsheet prefix, these malformed values should still be escaped; tighten the 
numeric check to a valid decimal format (for example, require at least one 
digit and at most one decimal point).
   
   Validate the correctness of the flagged issue. If correct, How can I resolve 
this? If you propose a fix, implement it and please make it concise.
   Once fix is implemented, also check other comments on the same PR, and ask 
user if the user wants to fix the rest of the comments as well. if said yes, 
then fetch all the comments validate the correctness and implement a minimal fix
   ```
   </details>
   <a 
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40195&comment_hash=a1ed1784a1cf0ce3a7c9c26daafd5b67d7cf45d7073af613f15b50c6185e5a3c&reaction=like'>👍</a>
 | <a 
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40195&comment_hash=a1ed1784a1cf0ce3a7c9c26daafd5b67d7cf45d7073af613f15b50c6185e5a3c&reaction=dislike'>👎</a>



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to