[Lens] Quote csv values when contain separator char (#155905)

## Summary Fix a bug found by @markov00 When a cell value contains the csvSeparator char (by default `,`) the text was not escaped correctly. This PR fixes this by wrapping the value in quotes (if enabled). ### Checklist Delete any items that are not applicable to this PR. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [ ] Any UI touched in this PR does not create any new axe failures (run axe in browser: [FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/), [Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US)) - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) - [ ] This was checked for [cross-browser compatibility](https://www.elastic.co/support/matrix#matrix_browsers) ### Risk Matrix Delete this section if it is not applicable to this PR. Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release. When forming the risk matrix, consider some of the following examples and how they may potentially impact the change: | Risk | Probability | Severity | Mitigation/Notes | |---------------------------|-------------|----------|-------------------------| | Multiple Spaces—unexpected behavior in non-default Kibana Space. | Low | High | Integration tests will verify that all features are still supported in non-default Kibana Space and when user switches between spaces. | | Multiple nodes—Elasticsearch polling might have race conditions when multiple Kibana nodes are polling for the same tasks. | High | Low | Tasks are idempotent, so executing them multiple times will not result in logical error, but will degrade performance. To test for this case we add plenty of unit tests around this logic and document manual testing procedure. | | Code should gracefully handle cases when feature X or plugin Y are disabled. | Medium | High | Unit tests will verify that any feature flag or plugin combination still results in our service operational. | | [See more potential risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) | ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
2025-04-24 01:38:56 -04:00 · 2023-04-28 15:04:30 +02:00 · 2023-04-28 15:04:30 +02:00 · 1ab34e1967
commit 1ab34e1967
parent 6d5e2456d9
7 changed files with 139 additions and 18 deletions
--- a/packages/kbn-generate-csv/src/get_export_settings.ts
+++ b/packages/kbn-generate-csv/src/get_export_settings.ts
@ -64,7 +64,11 @@ export const getExportSettings = async (
  ]);

  const escapeFormulaValues = config.escapeFormulaValues;
-  const escapeValue = createEscapeValue(quoteValues, escapeFormulaValues);
+  const escapeValue = createEscapeValue({
+    separator,
+    quoteValues,
+    escapeFormulaValues,
+  });
  const bom = config.useByteOrderMarkEncoding ? CSV_BOM_CHARS : '';

  return {
--- a/src/plugins/data/common/exports/constants.ts
+++ b/src/plugins/data/common/exports/constants.ts
@ -9,3 +9,5 @@
 export const CSV_FORMULA_CHARS = ['=', '+', '-', '@'];
 export const nonAlphaNumRE = /[^a-zA-Z0-9]/;
 export const allDoubleQuoteRE = /"/g;
+// this is a non-exhaustive list of delimiters that require to be quoted
+export const commonQuotedDelimiters = new Set([',', ';', '\t', ' ', '|']);
--- a/src/plugins/data/common/exports/escape_value.test.ts
+++ b/src/plugins/data/common/exports/escape_value.test.ts
@ -13,7 +13,11 @@ describe('escapeValue', function () {
  describe('quoteValues is true', function () {
    let escapeValue: (val: string) => string;
    beforeEach(function () {
-      escapeValue = createEscapeValue(true, false);
+      escapeValue = createEscapeValue({
+        separator: ',',
+        quoteValues: true,
+        escapeFormulaValues: false,
+      });
    });

    it('should escape value with spaces', function () {
@ -48,7 +52,11 @@ describe('escapeValue', function () {
  describe('quoteValues is false', function () {
    let escapeValue: (val: string) => string;
    beforeEach(function () {
-      escapeValue = createEscapeValue(false, false);
+      escapeValue = createEscapeValue({
+        separator: ',',
+        quoteValues: false,
+        escapeFormulaValues: false,
+      });
    });

    it('should return the value unescaped', function () {
@ -57,11 +65,15 @@ describe('escapeValue', function () {
    });
  });

-  describe('escapeValues', () => {
+  describe('escapeFormulaValues', () => {
    describe('when true', () => {
      let escapeValue: (val: string) => string;
      beforeEach(function () {
-        escapeValue = createEscapeValue(true, true);
+        escapeValue = createEscapeValue({
+          separator: ',',
+          quoteValues: true,
+          escapeFormulaValues: true,
+        });
      });

      ['@', '+', '-', '='].forEach((badChar) => {
@ -76,7 +88,11 @@ describe('escapeValue', function () {
    describe('when false', () => {
      let escapeValue: (val: string) => string;
      beforeEach(function () {
-        escapeValue = createEscapeValue(true, false);
+        escapeValue = createEscapeValue({
+          separator: ',',
+          quoteValues: true,
+          escapeFormulaValues: false,
+        });
      });

      ['@', '+', '-', '='].forEach((badChar) => {
@ -86,4 +102,64 @@ describe('escapeValue', function () {
      });
    });
  });
+
+  describe('csvSeparator', () => {
+    it('should escape when text contains the separator char with quotes enabled', () => {
+      const escapeValue = createEscapeValue({
+        separator: ';',
+        quoteValues: true,
+        escapeFormulaValues: false,
+      });
+      expect(escapeValue('a;b')).to.be('"a;b"');
+    });
+
+    it('should not escape when text contains the separator char if quotes are disabled', () => {
+      const escapeValue = createEscapeValue({
+        separator: ';',
+        quoteValues: false,
+        escapeFormulaValues: false,
+      });
+      expect(escapeValue('a;b')).to.be('a;b');
+    });
+
+    it.each([', ', ' , ', ' ,'])(
+      'should handle also delimiters that contains white spaces "%p"',
+      (separator) => {
+        const escapeValue = createEscapeValue({
+          separator,
+          quoteValues: true,
+          escapeFormulaValues: false,
+        });
+        const nonStringValue = {
+          toString() {
+            return `a${separator}b`;
+          },
+        };
+        expect(escapeValue(nonStringValue)).to.be(`"a${separator}b"`);
+      }
+    );
+
+    it('should handle also non-string values (array)', () => {
+      const escapeValue = createEscapeValue({
+        separator: ',',
+        quoteValues: true,
+        escapeFormulaValues: true,
+      });
+      expect(escapeValue(['a', 'b'])).to.be('"a,b"');
+    });
+
+    it('should not quote non-string values, even if escapable, when separator is not in the quoted delimiters list', () => {
+      const escapeValue = createEscapeValue({
+        separator: ':',
+        quoteValues: true,
+        escapeFormulaValues: true,
+      });
+      const nonStringValue = {
+        toString() {
+          return 'a:b';
+        },
+      };
+      expect(escapeValue(nonStringValue)).to.be('a:b');
+    });
+  });
 });
--- a/src/plugins/data/common/exports/escape_value.ts
+++ b/src/plugins/data/common/exports/escape_value.ts
@ -5,11 +5,18 @@
 * in compliance with, at your election, the Elastic License 2.0 or the Server
 * Side Public License, v 1.
 */
-import { allDoubleQuoteRE, nonAlphaNumRE } from './constants';
+import { allDoubleQuoteRE, commonQuotedDelimiters, nonAlphaNumRE } from './constants';
 import { cellHasFormulas } from './formula_checks';

 type RawValue = string | object | null | undefined;

+// string with the delimiter/separator already inside need to be wrapped in quotes
+// i.e. string with delimiter char in it like free text or some number formatting (1143 => 1,143)
+function shouldBeQuoted(value: string, delimiter: string) {
+  const trimmedSeparator = delimiter.trim();
+  return value.includes(trimmedSeparator) && commonQuotedDelimiters.has(trimmedSeparator);
+}
+
 /**
 * Create a function that will escape CSV values like "=", "@" and "+" with a
 * "'". This will also place CSV values in "" if contain non-alphanumeric chars.
@ -21,17 +28,27 @@ type RawValue = string | object | null | undefined;
 *
 * See OWASP: https://www.owasp.org/index.php/CSV_Injection.
 */
-export function createEscapeValue(
-  quoteValues: boolean,
-  escapeFormulas: boolean
-): (val: RawValue) => string {
+export function createEscapeValue({
+  separator,
+  quoteValues,
+  escapeFormulaValues,
+}: {
+  separator: string;
+  quoteValues: boolean;
+  escapeFormulaValues: boolean;
+}): (val: RawValue) => string {
  return function escapeValue(val: RawValue) {
    if (val && typeof val === 'string') {
-      const formulasEscaped = escapeFormulas && cellHasFormulas(val) ? "'" + val : val;
-      if (quoteValues && nonAlphaNumRE.test(formulasEscaped)) {
-        return `"${formulasEscaped.replace(allDoubleQuoteRE, '""')}"`;
+      const formulasEscaped = escapeFormulaValues && cellHasFormulas(val) ? "'" + val : val;
+      if (quoteValues) {
+        if (nonAlphaNumRE.test(formulasEscaped)) {
+          return `"${formulasEscaped.replace(allDoubleQuoteRE, '""')}"`;
+        }
      }
    }
-    return val == null ? '' : val.toString();
+    // raw multi-terms are stringified as T1,T2,T3 so check if the final value contains the
+    // csv separator before returning (usually for raw values)
+    const stringVal = val == null ? '' : val.toString();
+    return quoteValues && shouldBeQuoted(stringVal, separator) ? `"${stringVal}"` : stringVal;
  };
 }
--- a/src/plugins/data/common/exports/export_csv.test.ts
+++ b/src/plugins/data/common/exports/export_csv.test.ts
@ -84,4 +84,16 @@ describe('CSV exporter', () => {
      })
    ).toMatch('columnOne\r\n"\'=1"\r\n');
  });
+
+  test('should escape text with csvSeparator char in it', () => {
+    const datatable = getDataTable();
+    datatable.rows[0].col1 = 'a,b';
+    expect(
+      datatableToCSV(datatable, {
+        ...getDefaultOptions(),
+        escapeFormulaValues: true,
+        formatFactory: () => ({ convert: (v: unknown) => v } as FieldFormat),
+      })
+    ).toMatch('columnOne\r\n"a,b"\r\n');
+  });
 });
--- a/src/plugins/data/common/exports/export_csv.tsx
+++ b/src/plugins/data/common/exports/export_csv.tsx
@ -27,7 +27,11 @@ export function datatableToCSV(
  { columns, rows }: Datatable,
  { csvSeparator, quoteValues, formatFactory, raw, escapeFormulaValues }: CSVOptions
 ) {
-  const escapeValues = createEscapeValue(quoteValues, escapeFormulaValues);
+  const escapeValues = createEscapeValue({
+    separator: csvSeparator,
+    quoteValues,
+    escapeFormulaValues,
+  });
  // Build the header row by its names
  const header = columns.map((col) => escapeValues(col.name));

--- a/src/plugins/discover/public/utils/convert_value_to_string.ts
+++ b/src/plugins/discover/public/utils/convert_value_to_string.ts
@ -17,6 +17,8 @@ interface ConvertedResult {
  withFormula: boolean;
 }

+const separator = ',';
+
 export const convertValueToString = ({
  rowIndex,
  rows,
@ -77,7 +79,7 @@ export const convertValueToString = ({

      return stringify(formattedValue, disableMultiline) || '';
    })
-    .join(', ');
+    .join(`${separator} `);

  return {
    formattedString: formatted,
@ -97,7 +99,11 @@ const stringify = (val: object | string, disableMultiline: boolean) => {
  return disableMultiline ? JSON.stringify(val) : JSON.stringify(val, null, 2);
 };

-const escapeValueFn = createEscapeValue(true, true);
+const escapeValueFn = createEscapeValue({
+  separator,
+  quoteValues: true,
+  escapeFormulaValues: true,
+});

 const escapeFormattedValue = (formattedValue: string): string => {
  return escapeValueFn(formattedValue);