OpenCRE icon indicating copy to clipboard operation
OpenCRE copied to clipboard
verified publisher icon OWASP

Input validation missing on import csv functionality

Open filipposfwt opened this issue 1 year ago • 3 comments

Issue

When importing a new standard, no validation is performed on the imported csv file, a generic non-descriptive "500 - Internal Server Error" is returned or new CREs are wrongfully injected.

More specifically, in the outlined case, if the format of "CRE 0" column is XX-XXX| instead of XXX-XXX|, a non-descriptive error is returned. Also, I noticed that if in the "<standard_name>|name" column the requirement's text is enclosed between three double quotes '"""', the csv is treated as valid and the whole row is entered as a new root CRE.

image

filipposfwt avatar Sep 18 '24 10:09 filipposfwt

Hi ,@northdpole , @filipposfwt

I have reviewed the issue and identified the missing input validation in the CSV import functionality. I plan to implement validation checks for headers, data formats, and security measures (such as preventing CSV injection). I will also ensure proper error handling and testing before submitting a fix.

Please assign this issue to me so I can start working on it. Let me know if you have any specific requirements or suggestions.

Thanks!

Hardik301002 avatar Mar 16 '25 08:03 Hardik301002

@Hardik301002 just assigned

northdpole avatar Mar 22 '25 14:03 northdpole

Hi! I noticed there hasn’t been any activity here recently. If it’s okay, I’d like to work on this issue. Could you please assign it to me if it’s available?

sd2604 avatar Nov 08 '25 12:11 sd2604