Muhasebem vergi raporu CSV de formula injection buldu — TaxReport csvField sweep (PR #598 AAA F5)

Ordu Altinordu Ataturk Cad 41-yas Karadeniz Hamsi + Mihlama Sofrasi 45-cover 13-yil Karadeniz mutfagi + Trabzon usulu mihlama sahibi Hasan thMenu Pro 18 ay. Uc ayda bir Q1+Q2+Q3+Q4 tax raporlari thMenu admin CSV indir muhasebeci Selvi Ordu Akkus bagimsiz mali musavir 22-yil deneyim. Sali sabah Q1 2026 tax CSV email. 3 saat sonra Selvi endiseli mail Hasan Bey gonderdiginiz CSV bir satir product_name =cmd|/c calc!A0 ile basliyor dikkat cekti guvenlik bug mi. Hasan CSV laptop acmaktan cekindi Selvi calc acabilir uyarisi sonrasi riskli. Admin paneli 62. urun Hamsi Tava Karadeniz product_name normal goruyordu ama CSV =cmd|/c calc!A0. Hasan 3 hafta once yeni staff Mehmet hire menu edit yetkisi. Mehmet aradi sen 62. degistirdin mi Mehmet hayir menude pek bir sey yapmadim. Support yazdi Selvi formula injection vector hangi attacker. Engineering 3 yanlis teori (1) Mehmet tikladi audit log staff_audit_logs mehmet_id action product 0 product edit; (2) attacker dis kaynakli POST WAF log 90-gun 403 47 legitimate bot bypass yok; (3) Hasan copy-paste admin paneli normal goruyor. Dogru teori TaxReport CSV export csvField helper kullanmiyor. Adli analiz apps/web-admin/src/app/api/tax-report/route.ts rows.push([orderDate productName quantity unitPrice taxRate taxAmount].join , hicbir escape RFC 4180 §2.6 ihlal + formula-prefix sanitization yok. apps/web-admin/src/lib/csv.ts csvField helper mevcut PR #365 audit-finding YY 8 baska CSV export kullaniyor (orders+customers+products+feedback+reservations+affiliate-stats+cron-status+soc2-evidence) tax report ekleme atlanmis. csvField iki layer (1) RFC 4180 quoting value icinde , veya veya \n quote-wrap + escape; (2) formula-prefix neutralization value ilk karakter =/+/-/@/\t/\r ile basliyor basina ekle Excel/LibreOffice/Numbers formula interpret etmiyor text okunurken fark edilmiyor. OWASP CSV Injection Cheat Sheet 2017den beri oneriyor Excel CSV import =cmd|/c calc!A0 + DDE eski versiyonlarda calc.exe/powershell tetikleyebilir modern Excel partial block corporate env tehlikeli. Source 2 ay once menu-backfill-v2 import script Hasan Q4 2025 Excel menu migrate Excel cell formula value (test Excel macro) import script display value okuyup raw =cmd|/c calc!A0 product_name yazdi stored admin HTML escape ediyor CSV field-level escape yok injection point migrate-from-excel script script of opportunity Hasan dogrudan saldirgan degil. PR #598 batch AAA F5 2-katmanli fix Layer 1 TaxReport CSV export csvField helper route rows.push([...].map(csvField).join(,)) tum field RFC 4180 quoted + formula-prefix neutralized =cmd|/c calc!A0 → =cmd|/c calc!A0 Excel formula interpret etmiyor. Layer 2 menu-backfill-v2 script sanitization Excel→D1 import script product_name + description + ingredients formula-prefix detector =/+/-/@/\t/\r ile basliyorsa strip + warn log stored data clean. Production audit products table formula-prefix string scan 23 product 7 restaurant historic Excel imports UPDATE products SET REPLACE + audit log operator email gecmis temizlendi eylem gerekli degil. YY sweep PR #365 8 CSV export AAA F5 son CSV tax-report shipped sweep code-base-complete CI grep guard .join(,) + array of strings pattern do you need csvField warning PR template checkbox CSV csvField? Hasan email + Selvi thank-you + 1-ay Pro credit Selvi blog 1.3k engagement. Camille Marseille Le Panier Rue Caisserie Bouillabaisse Vieux-Port 55-cover Provencal 11-yil CPA Marc Mac Numbers 17 formula-prefix block loud warning paralel ayni fix path 1-ay Pro credit. Pattern user-input data CSV export tum endpoint csvField helper + Excel/CSV import script formula-prefix sanitization RFC 4180 §2.6 + OWASP CSV Injection canonical. Sibling sweep PR #365 YY 8 endpoint AAA F5 final 8/8 yeni eklenen super-admin export-affiliate-payouts + admin export-staff-shifts baştan csvField. Implementation csvField shared lib + RFC 4180 quoting + formula-prefix 6 dangerous chars + tum endpoint route + import script formula detector strip + production audit existing data scan + CI grep guard + PR template checkbox. PR #598 referans.

İlgili makaleler