PluginProbe ʕ •ᴥ•ʔ
LatePoint – Calendar Booking Plugin for Appointments and Events / 5.2.11
LatePoint – Calendar Booking Plugin for Appointments and Events v5.2.11
5.6.6 5.6.5 5.6.4 5.6.3 5.6.2 5.6.1 5.6.0 5.5.2 5.5.1 5.5.0 5.4.2 trunk 5.1.0 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.1.8 5.1.9 5.1.91 5.1.92 5.1.93 5.1.94 5.2.0 5.2.1 5.2.10 5.2.11 5.2.2 5.2.3 5.2.4 5.2.5 5.2.6 5.2.7 5.2.8 5.2.9 5.3.0 5.3.1 5.3.2 5.4.0 5.4.1
latepoint / lib / helpers / csv_helper.php
latepoint / lib / helpers Last commit date
activities_helper.php 3 months ago agent_helper.php 3 months ago analytics_helper.php 4 months ago auth_helper.php 3 months ago blocks_helper.php 3 months ago booking_helper.php 3 months ago bricks_helper.php 3 months ago bundles_helper.php 3 months ago calendar_helper.php 3 months ago carts_helper.php 3 months ago connector_helper.php 3 months ago csv_helper.php 3 months ago customer_helper.php 3 months ago customer_import_helper.php 3 months ago database_helper.php 3 months ago debug_helper.php 3 months ago defaults_helper.php 3 months ago elementor_helper.php 3 months ago email_helper.php 3 months ago encrypt_helper.php 3 months ago events_helper.php 3 months ago form_helper.php 3 months ago icalendar_helper.php 3 months ago image_helper.php 3 months ago invoices_helper.php 3 months ago license_helper.php 3 months ago location_helper.php 3 months ago marketing_systems_helper.php 3 months ago meeting_systems_helper.php 3 months ago menu_helper.php 3 months ago meta_helper.php 3 months ago migrations_helper.php 3 months ago money_helper.php 3 months ago notifications_helper.php 3 months ago nps_survey_helper.php 3 months ago order_intent_helper.php 3 months ago orders_helper.php 3 months ago otp_helper.php 3 months ago pages_helper.php 3 months ago params_helper.php 3 months ago payments_helper.php 3 months ago price_breakdown_helper.php 3 months ago process_jobs_helper.php 3 months ago processes_helper.php 3 months ago replacer_helper.php 3 months ago resource_helper.php 3 months ago roles_helper.php 3 months ago router_helper.php 3 months ago service_helper.php 3 months ago sessions_helper.php 3 months ago settings_helper.php 3 months ago short_links_systems_helper.php 3 months ago shortcodes_helper.php 3 months ago sms_helper.php 3 months ago steps_helper.php 3 months ago stripe_connect_helper.php 3 months ago styles_helper.php 3 months ago support_topics_helper.php 3 months ago time_helper.php 3 months ago timeline_helper.php 3 months ago transaction_helper.php 3 months ago transaction_intent_helper.php 3 months ago util_helper.php 3 months ago version_specific_updates_helper.php 3 months ago whatsapp_helper.php 3 months ago work_periods_helper.php 3 months ago wp_datetime.php 3 months ago wp_user_helper.php 3 months ago
csv_helper.php
167 lines
1 <?php
2
3 class OsCSVHelper {
4 /**
5 * Escape CSV formula injection by prefixing with single quote
6 *
7 * Prevents CSV formula injection attacks where formulas starting with =, +, -, @, tab, or pipe
8 * could execute when CSV is opened in Excel/Google Sheets/Apple Numbers.
9 * Uses single quote prefix which is recognized as a text marker across all major spreadsheet apps.
10 *
11 * @since 5.1.0 Security fix for CSV formula injection
12 * @param mixed $value Value to escape
13 * @return mixed Escaped value
14 */
15 public static function escape_csv_formula( $value ) {
16 if ( ! is_string( $value ) || strlen( $value ) === 0 ) {
17 return $value;
18 }
19
20 $first_char = $value[0];
21 // OWASP-recommended dangerous prefixes: =, +, -, @, tab, pipe
22 $dangerous_chars = [ '=', '+', '-', '@', "\t", '|' ];
23
24 if ( in_array( $first_char, $dangerous_chars, true ) ) {
25 return "'" . $value; // Prepend single quote to neutralize formula
26 }
27
28 // Strip embedded newlines to prevent multi-row injection
29 if ( strpos( $value, "\r" ) !== false || strpos( $value, "\n" ) !== false ) {
30 return str_replace( [ "\r", "\n" ], '', $value );
31 }
32
33 return $value;
34 }
35
36 public static function array_to_csv( $data ) {
37 $output = fopen( 'php://output', 'wb' ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_read_fopen
38 foreach ( $data as $row ) {
39 // Escape each cell to prevent CSV formula injection
40 $escaped_row = array_map( [ self::class, 'escape_csv_formula' ], $row );
41 fputcsv( $output, $escaped_row );
42 }
43 fclose( $output ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_operations_fclose
44 }
45
46
47 public static function get_import_dir( bool $create = true ): string {
48 $wp_upload_dir = wp_upload_dir( null, $create );
49 if ( $wp_upload_dir['error'] ) {
50 throw new \Exception( esc_html( $wp_upload_dir['error'] ) );
51 }
52
53 $upload_dir = trailingslashit( $wp_upload_dir['basedir'] ) . 'latepoint';
54 if ( $create ) {
55 if ( ! file_exists( $upload_dir ) ) {
56 wp_mkdir_p( $upload_dir );
57 }
58 }
59 return $upload_dir;
60 }
61
62 public static function upload_csv_file( $files, $file_name ) {
63 if ( empty( $files[ $file_name ] ) ) {
64 throw new \Exception( 'File not selected' );
65 }
66
67 $file = $files[ $file_name ];
68
69 // Security: Validate file before upload (defense-in-depth)
70 if ( ! self::validate_csv_upload( $file ) ) {
71 throw new \Exception( 'Invalid CSV file format' );
72 }
73
74 $upload_dir = OsCsvHelper::get_import_dir();
75 $tmp_name = uniqid( 'latepoint_customers_csv_' ) . '.csv';
76 $filepath = $upload_dir . '/' . $tmp_name;
77
78 if ( ! move_uploaded_file( $file['tmp_name'][0], $filepath ) ) {
79 throw new \Exception( 'Error uploading file' );
80 }
81 set_transient( 'csv_import_file_' . OsWpUserHelper::get_current_user_id(), $filepath, 3600 );
82 return $filepath;
83 }
84
85 /**
86 * Validates CSV file upload using multiple layers of security checks.
87 * Defense-in-depth approach: extension check, MIME type check, and structure validation.
88 *
89 * @param array $file Uploaded file array from $_FILES
90 * @return bool True if file is valid CSV, false otherwise
91 */
92 public static function validate_csv_upload( $file ): bool {
93 $file_name = is_array( $file['name'] ) ? $file['name'][0] : $file['name'];
94 $tmp_name = is_array( $file['tmp_name'] ) ? $file['tmp_name'][0] : $file['tmp_name'];
95
96 if ( ! file_exists( $tmp_name ) ) {
97 return false;
98 }
99
100 // Step 1: Validate extension and MIME type using WordPress
101 $allowed_mimes = [
102 'csv' => 'text/csv',
103 ];
104 $validated = wp_check_filetype_and_ext( $tmp_name, $file_name, $allowed_mimes );
105 if ( ! $validated['ext'] || ! $validated['type'] ) {
106 return false;
107 }
108
109 // Step 2: Validate CSV structure by attempting to read first line
110 $handle = fopen( $tmp_name, 'r' ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_read_fopen
111 if ( $handle === false ) {
112 return false;
113 }
114
115 $first_line = fgetcsv( $handle );
116 fclose( $handle ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_operations_fclose
117
118 if ( ! is_array( $first_line ) || empty( $first_line ) ) {
119 return false;
120 }
121
122 return true;
123 }
124
125
126 public static function is_valid_csv( $file_path ): bool {
127 $valid_filetypes = [
128 'csv' => 'text/csv',
129 'txt' => 'text/plain',
130 ];
131
132 $filetype = wp_check_filetype( $file_path, $valid_filetypes );
133
134 if ( in_array( $filetype['type'], $valid_filetypes, true ) ) {
135 return true;
136 }
137
138 return false;
139 }
140
141 public static function get_csv_data( $file_path, $limit = false ) {
142 if ( ! file_exists( $file_path ) ) {
143 throw new \Exception( 'File does not exist' );
144 }
145
146 if ( ! OsCSVHelper::is_valid_csv( $file_path ) ) {
147 throw new \Exception( 'Invalid file format' );
148 }
149
150 $data = [];
151 $i = 0;
152 if ( ( $handle = fopen( $file_path, 'r' ) ) !== false ) {
153 while ( ( $row = fgetcsv( $handle ) ) !== false ) {
154 $data[] = $row;
155 $i++;
156 if ( $limit && $i >= $limit ) {
157 break;
158 }
159 }
160 fclose( $handle );
161 } else {
162 throw new \Exception( 'Error reading file' );
163 }
164 return $data;
165 }
166 }
167