| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| import re |
| from typing import Any |
| |
| import pandas as pd |
| |
| negative_number_re = re.compile(r"^-[0-9.]+$") |
| |
| # This regex will match if the string starts with: |
| # |
| # 1. one of -, @, +, |, =, % |
| # 2. two double quotes immediately followed by one of -, @, +, |, =, % |
| # 3. one or more spaces immediately followed by one of -, @, +, |, =, % |
| # |
| problematic_chars_re = re.compile(r'^(?:"{2}|\s{1,})(?=[\-@+|=%])|^[\-@+|=%]') |
| |
| |
| def escape_value(value: str) -> str: |
| """ |
| Escapes a set of special characters. |
| |
| http://georgemauer.net/2017/10/07/csv-injection.html |
| """ |
| needs_escaping = problematic_chars_re.match(value) is not None |
| is_negative_number = negative_number_re.match(value) is not None |
| |
| if needs_escaping and not is_negative_number: |
| # Escape pipe to be extra safe as this |
| # can lead to remote code execution |
| value = value.replace("|", "\\|") |
| |
| # Precede the line with a single quote. This prevents |
| # evaluation of commands and some spreadsheet software |
| # will hide this visually from the user. Many articles |
| # claim a preceding space will work here too, however, |
| # when uploading a csv file in Google sheets, a leading |
| # space was ignored and code was still evaluated. |
| value = "'" + value |
| |
| return value |
| |
| |
| def df_to_escaped_csv(df: pd.DataFrame, **kwargs: Any) -> Any: |
| escape_values = lambda v: escape_value(v) if isinstance(v, str) else v |
| |
| # Escape csv headers |
| df = df.rename(columns=escape_values) |
| |
| # Escape csv rows |
| df = df.applymap(escape_values) |
| |
| return df.to_csv(**kwargs) |