Skip to main content

defang_formula

Function defang_formula 

Source
pub fn defang_formula(cell: &str) -> String
Expand description

Defang a free-text CSV cell against formula injection (CWE-1236) by prefixing a single quote when the cell begins with a spreadsheet formula trigger (=, +, -, @, tab, or carriage return), the OWASP-recommended mitigation. The quote makes a spreadsheet treat the whole cell as a literal string; the RFC 4180 quoting the csv crate applies does not defang formulas (a quoted "=cmd" still evaluates on import). Cells that do not start with a trigger — the overwhelming majority — are returned unchanged with no allocation beyond the owned String the row requires.

Apply this to every free-text, user-controlled CSV cell whose value can be derived from repository content (file paths, identifier names). Numeric or enum-valued cells that can never begin with a trigger character need no defang. This is the shared helper behind both the FuncSpace CSV writer here and the VCS-report CSV writer in the CLI crate; do not duplicate the trigger list.