public void IsThreat_WithSafeInput_ReturnsFalse()
        {
            // Arrange
            string input = "This is a safe input.";

            NoFormulaeExcelSanitizer sanitizer = new NoFormulaeExcelSanitizer();

            // Act
            bool result = sanitizer.IsThreat(input);

            // Assert
            Assert.Equal(false, result);
        }
        public void IsThreat_WithUnsafeInput_ReturnsTrue()
        {
            // Arrange
            string input = "=cmd|'/C ping 127.0.0.1'!A0";

            NoFormulaeExcelSanitizer sanitizer = new NoFormulaeExcelSanitizer();

            // Act
            bool result = sanitizer.IsThreat(input);

            // Assert
            Assert.Equal(true, result);
        }
Example #3
0
        public static string EncodeAndCheck(string value, NoFormulaeExcelSanitizer excelSanitizer)
        {
            string result;

            if (value == null)
            {
                result = string.Empty;
            }
            else
            {
                result = value.Equals("0.000") ? string.Empty : value.ToString();
            }

            if (excelSanitizer.IsThreat(result))
            {
                var message = string.Format(
                    "A potentially dangerous string was identified and sanitised when writing CSV data. The value was \"{0}\".",
                    result);
                Trace.TraceWarning(message);
                result = excelSanitizer.Sanitize(result);
            }

            if (result.Contains(","))
            {
                result = string.Concat("\"", value, "\"");
            }

            result = result.Replace("\r\n", " ");
            result = result.Replace("\n\n", " ");
            result = result.Replace("\r", " ");
            result = result.Replace("\n", " ");

            result = result.Trim();

            return(result);
        }