adds tests

excel sanitization
2026-05-19 19:38:39 -05:00 · 2026-05-19 13:48:30 +05:30 · 2026-05-19 12:41:06 +05:30
6 changed files with 99 additions and 57 deletions
@@ -313,18 +313,9 @@ describe("handleErrorResponse", () => {
    expect(body.message).toBe("bad input");
  });

-  test("returns 404 notFound for ResourceNotFoundError", async () => {
+  test("returns 400 badRequest for ResourceNotFoundError", async () => {
    const response = handleErrorResponse(new ResourceNotFoundError("Survey", "id-1"));
-    expect(response.status).toBe(404);
-    const body = await response.json();
-    expect(body).toEqual({
-      code: "not_found",
-      message: "Survey not found",
-      details: {
-        resource_id: "id-1",
-        resource_type: "Survey",
-      },
-    });
+    expect(response.status).toBe(400);
  });

  test("returns 500 internalServerError for unknown errors", async () => {
@@ -29,10 +29,11 @@ export const handleErrorResponse = (error: any): Response => {
      if (error instanceof UniqueConstraintError) {
        return responses.conflictResponse(error.message);
      }
-      if (error instanceof ResourceNotFoundError) {
-        return responses.notFoundResponse(error.resourceType, error.resourceId);
-      }
-      if (error instanceof DatabaseError || error instanceof InvalidInputError) {
+      if (
+        error instanceof DatabaseError ||
+        error instanceof InvalidInputError ||
+        error instanceof ResourceNotFoundError
+      ) {
        return responses.badRequestResponse(error.message);
      }
      return responses.internalServerErrorResponse("Some error occurred");
@@ -1,7 +1,6 @@
 import { Prisma } from "@prisma/client";
 import { beforeEach, describe, expect, test, vi } from "vitest";
 import { prisma } from "@formbricks/database";
-import { PrismaErrorType } from "@formbricks/database/types/error";
 import { DatabaseError, ResourceNotFoundError } from "@formbricks/types/errors";
 import { TResponseUpdateInput } from "@formbricks/types/responses";
 import { updateResponse } from "./service";
@@ -325,35 +324,5 @@ describe("updateResponse", () => {

      await expect(updateResponse(mockResponseId, responseInput)).rejects.toThrow(DatabaseError);
    });
-
-    test("should throw ResourceNotFoundError when response is deleted during update", async () => {
-      const currentResponse = createMockCurrentResponse();
-      vi.mocked(prisma.response.findUnique).mockResolvedValue(currentResponse as any);
-      vi.mocked(prisma.response.update).mockRejectedValue(
-        new Prisma.PrismaClientKnownRequestError("Record to update not found", {
-          code: PrismaErrorType.RelatedRecordDoesNotExist,
-          clientVersion: "5.0.0",
-        })
-      );
-
-      const responseInput = createMockResponseInput();
-
-      await expect(updateResponse(mockResponseId, responseInput)).rejects.toThrow(ResourceNotFoundError);
-    });
-
-    test("should throw ResourceNotFoundError when Prisma reports a missing response record", async () => {
-      const currentResponse = createMockCurrentResponse();
-      vi.mocked(prisma.response.findUnique).mockResolvedValue(currentResponse as any);
-      vi.mocked(prisma.response.update).mockRejectedValue(
-        new Prisma.PrismaClientKnownRequestError("Record does not exist", {
-          code: PrismaErrorType.RecordDoesNotExist,
-          clientVersion: "5.0.0",
-        })
-      );
-
-      const responseInput = createMockResponseInput();
-
-      await expect(updateResponse(mockResponseId, responseInput)).rejects.toThrow(ResourceNotFoundError);
-    });
  });
 });
@@ -3,7 +3,6 @@ import { Prisma } from "@prisma/client";
 import { cache as reactCache } from "react";
 import { z } from "zod";
 import { prisma } from "@formbricks/database";
-import { PrismaErrorType } from "@formbricks/database/types/error";
 import { logger } from "@formbricks/logger";
 import { ZId, ZOptionalNumber, ZString } from "@formbricks/types/common";
 import { DatabaseError, ResourceNotFoundError } from "@formbricks/types/errors";
@@ -570,13 +569,6 @@ export const updateResponse = async (
    return response;
  } catch (error) {
    if (error instanceof Prisma.PrismaClientKnownRequestError) {
-      if (
-        error.code === PrismaErrorType.RecordDoesNotExist ||
-        error.code === PrismaErrorType.RelatedRecordDoesNotExist
-      ) {
-        throw new ResourceNotFoundError("Response", responseId);
-      }
-
      throw new DatabaseError(error.message);
    }

@@ -38,6 +38,38 @@ describe("convertToCsv", () => {

    parseSpy.mockRestore();
  });
+
+  test("should defang formula injection payloads in cell values", async () => {
+    const payloads = [
+      '=HYPERLINK("https://evil.tld","Click")',
+      "+1+1",
+      "-2+3",
+      "@SUM(A1:A2)",
+      "\tleading-tab",
+      "\rleading-cr",
+    ];
+    const rows = payloads.map((p) => ({ name: p, age: 0 }));
+    const csv = await convertToCsv(["name", "age"], rows);
+    const lines = csv.trim().split("\n").slice(1); // drop header
+    payloads.forEach((p, i) => {
+      // each value should be prefixed with a single quote so the spreadsheet
+      // app treats it as text rather than a formula
+      expect(lines[i].startsWith(`"'${p.charAt(0)}`)).toBe(true);
+    });
+  });
+
+  test("should defang formula injection in field/header names", async () => {
+    const csv = await convertToCsv(["=evil", "age"], [{ "=evil": "x", age: 1 }]);
+    const lines = csv.trim().split("\n");
+    expect(lines[0]).toBe('"\'=evil","age"');
+    expect(lines[1]).toBe('"x",1');
+  });
+
+  test("should not alter benign strings", async () => {
+    const csv = await convertToCsv(["name"], [{ name: "Alice = Bob" }]);
+    const lines = csv.trim().split("\n");
+    expect(lines[1]).toBe('"Alice = Bob"');
+  });
 });

 describe("convertToXlsxBuffer", () => {
@@ -60,4 +92,38 @@ describe("convertToXlsxBuffer", () => {
    const cleaned = raw.map(({ __rowNum__, ...rest }) => rest);
    expect(cleaned).toEqual(data);
  });
+
+  test("should defang formula injection payloads in xlsx cells", () => {
+    const payloads = [
+      '=HYPERLINK("https://evil.tld","Click")',
+      "+1+1",
+      "-2+3",
+      "@SUM(A1:A2)",
+      "\tleading-tab",
+      "\rleading-cr",
+    ];
+    const rows = payloads.map((p) => ({ name: p }));
+    const buffer = convertToXlsxBuffer(["name"], rows);
+    const wb = xlsx.read(buffer, { type: "buffer" });
+    const sheet = wb.Sheets["Sheet1"];
+    payloads.forEach((p, i) => {
+      const cell = sheet[`A${i + 2}`]; // row 1 is header
+      // value stored as plain text, not as a formula (no `f` property)
+      expect(cell.f).toBeUndefined();
+      expect(cell.v).toBe(`'${p}`);
+    });
+  });
+
+  test("should defang formula injection in xlsx header names", () => {
+    const buffer = convertToXlsxBuffer(["=evil", "name"], [{ "=evil": "x", name: "Alice" }]);
+    const wb = xlsx.read(buffer, { type: "buffer" });
+    const sheet = wb.Sheets["Sheet1"];
+    const headerCell = sheet["A1"];
+    expect(headerCell.f).toBeUndefined();
+    expect(headerCell.v).toBe("'=evil");
+    // benign header untouched
+    expect(sheet["B1"].v).toBe("name");
+    // data row mapped via sanitized key
+    expect(sheet["A2"].v).toBe("x");
+  });
 });
@@ -2,15 +2,36 @@ import { AsyncParser } from "@json2csv/node";
 import * as xlsx from "xlsx";
 import { logger } from "@formbricks/logger";

+// Defang spreadsheet formula injection. Cell values starting with
+// =, +, -, @, tab, or CR are evaluated as formulas by Excel/Sheets/Numbers.
+const FORMULA_TRIGGER = /^[=+\-@\t\r]/;
+
+const sanitizeFormulaInjection = <T>(value: T): T => {
+  if (typeof value === "string" && FORMULA_TRIGGER.test(value)) {
+    return `'${value}` as T;
+  }
+  return value;
+};
+
+const sanitizeRows = (rows: Record<string, string | number>[]): Record<string, string | number>[] =>
+  rows.map((row) =>
+    Object.fromEntries(
+      Object.entries(row).map(([key, value]) => [
+        sanitizeFormulaInjection(key),
+        sanitizeFormulaInjection(value),
+      ])
+    )
+  );
+
 export const convertToCsv = async (fields: string[], jsonData: Record<string, string | number>[]) => {
  let csv: string = "";

  const parser = new AsyncParser({
-    fields,
+    fields: fields.map(sanitizeFormulaInjection),
  });

  try {
-    csv = await parser.parse(jsonData).promise();
+    csv = await parser.parse(sanitizeRows(jsonData)).promise();
  } catch (err) {
    logger.error(err, "Failed to convert to CSV");
    throw new Error("Failed to convert to CSV");
@@ -24,7 +45,9 @@ export const convertToXlsxBuffer = (
  jsonData: Record<string, string | number>[]
 ): Buffer => {
  const wb = xlsx.utils.book_new();
-  const ws = xlsx.utils.json_to_sheet(jsonData, { header: fields });
+  const ws = xlsx.utils.json_to_sheet(sanitizeRows(jsonData), {
+    header: fields.map(sanitizeFormulaInjection),
+  });
  xlsx.utils.book_append_sheet(wb, ws, "Sheet1");
  return xlsx.write(wb, { type: "buffer", bookType: "xlsx" });
 };
Author	SHA1	Message	Date
pandeymangg	d90482212a	adds tests	2026-05-19 13:48:30 +05:30
pandeymangg	1e0d003dd6	excel sanitization	2026-05-19 12:41:06 +05:30