[SECUR-105] fix: csv injection vulnerability sanitization

[sangeethailango]

Description

• Fix CSV injection vulnerability (CWE-1236) by sanitizing exported CSV cell values that start with formula-triggering characters (=, +, -, @, \t, \r, \n)
• Added a central sanitize_csv_value utility in plane/utils/csv_utils.py and applied it across all 5 CSV export code paths

Summary by CodeRabbit

Release Notes

• Bug Fixes
  • Strengthened security of all CSV export functionality to prevent formula injection attacks. Exported data is now automatically sanitized before being written to CSV files, protecting users when opening exports in external spreadsheet applications.

[coderabbitai]

📝 Walkthrough

Walkthrough

Introduces CSV formula injection prevention by adding a new sanitization utility module that prefixes values starting with formula triggers (=, +, -, @, tab, carriage return, line feed) with a single quote. The utility is integrated into four CSV export endpoints across the workspace views, background tasks, and data exporters/porters to sanitize row data before CSV generation.

Changes

Cohort / File(s)	Summary
CSV Sanitization Utility apps/api/plane/utils/csv_utils.py	New module providing sanitize_csv_value() and sanitize_csv_row() functions to prevent CSV formula injection attacks by prefixing trigger characters with a single quote.
CSV Generation Endpoints apps/api/plane/app/views/workspace/base.py, apps/api/plane/bgtasks/analytic_plot_export.py	Updated CSV generation to apply sanitize_csv_row() before writing rows to CSV output.
CSV Formatters apps/api/plane/utils/exporters/formatters.py, apps/api/plane/utils/porters/formatters.py	Updated CSV export paths to sanitize row data using sanitize_csv_row() and sanitize_csv_value() before writing.

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Poem

🐰 Hops of joy, a fix so fine,
No more formulas crossing the line!
With quotes prepended, the data stays true,
CSV safety—what a mighty debut! 🎉

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically identifies the main change: fixing a CSV injection vulnerability through sanitization. It directly matches the primary objective of the pull request.
Description check	✅ Passed	The description includes key details about the vulnerability fixed and the solution implemented, but lacks several template sections including Type of Change, Test Scenarios, and References.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix-csv-injection-on-export-files

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[makeplane]

Linked to Plane Work Item(s)

• [SECUR-105] CSV Injection in Exported Files

This comment was auto-generated by Plane

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@apps/api/plane/utils/csv_utils.py`:
- Around line 1-4: This file is missing the standard repository license header;
add the project's canonical license comment block at the very top of the module
(above the existing module docstring/comment and before _CSV_FORMULA_TRIGGERS)
so the addlicense check passes; copy the exact header used in other files and
ensure it precedes the existing content (refer to this module's top-level symbol
_CSV_FORMULA_TRIGGERS to locate the file and verify header placement).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add the standard license header to satisfy the addlicense check.

The pipeline is failing the copyright check; this file is missing the standard header used across the repo.

🧾 Proposed fix

+# Copyright (c) 2023-present Plane Software, Inc. and contributors
+# SPDX-License-Identifier: AGPL-3.0-only
+# See the LICENSE file for details.
+
 # CSV utility functions for safe export

🧰 Tools

🪛 GitHub Actions: Copy Right Check

[error] 1-1: Copyright check failed. The command 'addlicense -check -f COPYRIGHT.txt -ignore "/migrations/" $(git ls-files '*.py')' exited with code 1.

🤖 Prompt for AI Agents

In `@apps/api/plane/utils/csv_utils.py` around lines 1 - 4, This file is missing
the standard repository license header; add the project's canonical license
comment block at the very top of the module (above the existing module
docstring/comment and before _CSV_FORMULA_TRIGGERS) so the addlicense check
passes; copy the exact header used in other files and ensure it precedes the
existing content (refer to this module's top-level symbol _CSV_FORMULA_TRIGGERS
to locate the file and verify header placement).