activities_helper.php
3 months ago
agent_helper.php
3 months ago
analytics_helper.php
4 months ago
auth_helper.php
3 months ago
blocks_helper.php
3 months ago
booking_helper.php
3 months ago
bricks_helper.php
3 months ago
bundles_helper.php
3 months ago
calendar_helper.php
3 months ago
carts_helper.php
3 months ago
connector_helper.php
3 months ago
csv_helper.php
3 months ago
customer_helper.php
3 months ago
customer_import_helper.php
3 months ago
database_helper.php
3 months ago
debug_helper.php
3 months ago
defaults_helper.php
3 months ago
elementor_helper.php
3 months ago
email_helper.php
3 months ago
encrypt_helper.php
3 months ago
events_helper.php
3 months ago
form_helper.php
3 months ago
icalendar_helper.php
3 months ago
image_helper.php
3 months ago
invoices_helper.php
3 months ago
license_helper.php
3 months ago
location_helper.php
3 months ago
marketing_systems_helper.php
3 months ago
meeting_systems_helper.php
3 months ago
menu_helper.php
3 months ago
meta_helper.php
3 months ago
migrations_helper.php
3 months ago
money_helper.php
3 months ago
notifications_helper.php
3 months ago
nps_survey_helper.php
3 months ago
order_intent_helper.php
3 months ago
orders_helper.php
3 months ago
otp_helper.php
3 months ago
pages_helper.php
3 months ago
params_helper.php
3 months ago
payments_helper.php
3 months ago
price_breakdown_helper.php
3 months ago
process_jobs_helper.php
3 months ago
processes_helper.php
3 months ago
replacer_helper.php
3 months ago
resource_helper.php
3 months ago
roles_helper.php
3 months ago
router_helper.php
3 months ago
service_helper.php
3 months ago
sessions_helper.php
3 months ago
settings_helper.php
3 months ago
short_links_systems_helper.php
3 months ago
shortcodes_helper.php
3 months ago
sms_helper.php
3 months ago
steps_helper.php
3 months ago
stripe_connect_helper.php
3 months ago
styles_helper.php
3 months ago
support_topics_helper.php
3 months ago
time_helper.php
3 months ago
timeline_helper.php
3 months ago
transaction_helper.php
3 months ago
transaction_intent_helper.php
3 months ago
util_helper.php
3 months ago
version_specific_updates_helper.php
3 months ago
whatsapp_helper.php
3 months ago
work_periods_helper.php
3 months ago
wp_datetime.php
3 months ago
wp_user_helper.php
3 months ago
csv_helper.php
167 lines
| 1 | <?php |
| 2 | |
| 3 | class OsCSVHelper { |
| 4 | /** |
| 5 | * Escape CSV formula injection by prefixing with single quote |
| 6 | * |
| 7 | * Prevents CSV formula injection attacks where formulas starting with =, +, -, @, tab, or pipe |
| 8 | * could execute when CSV is opened in Excel/Google Sheets/Apple Numbers. |
| 9 | * Uses single quote prefix which is recognized as a text marker across all major spreadsheet apps. |
| 10 | * |
| 11 | * @since 5.1.0 Security fix for CSV formula injection |
| 12 | * @param mixed $value Value to escape |
| 13 | * @return mixed Escaped value |
| 14 | */ |
| 15 | public static function escape_csv_formula( $value ) { |
| 16 | if ( ! is_string( $value ) || strlen( $value ) === 0 ) { |
| 17 | return $value; |
| 18 | } |
| 19 | |
| 20 | $first_char = $value[0]; |
| 21 | // OWASP-recommended dangerous prefixes: =, +, -, @, tab, pipe |
| 22 | $dangerous_chars = [ '=', '+', '-', '@', "\t", '|' ]; |
| 23 | |
| 24 | if ( in_array( $first_char, $dangerous_chars, true ) ) { |
| 25 | return "'" . $value; // Prepend single quote to neutralize formula |
| 26 | } |
| 27 | |
| 28 | // Strip embedded newlines to prevent multi-row injection |
| 29 | if ( strpos( $value, "\r" ) !== false || strpos( $value, "\n" ) !== false ) { |
| 30 | return str_replace( [ "\r", "\n" ], '', $value ); |
| 31 | } |
| 32 | |
| 33 | return $value; |
| 34 | } |
| 35 | |
| 36 | public static function array_to_csv( $data ) { |
| 37 | $output = fopen( 'php://output', 'wb' ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_read_fopen |
| 38 | foreach ( $data as $row ) { |
| 39 | // Escape each cell to prevent CSV formula injection |
| 40 | $escaped_row = array_map( [ self::class, 'escape_csv_formula' ], $row ); |
| 41 | fputcsv( $output, $escaped_row ); |
| 42 | } |
| 43 | fclose( $output ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_operations_fclose |
| 44 | } |
| 45 | |
| 46 | |
| 47 | public static function get_import_dir( bool $create = true ): string { |
| 48 | $wp_upload_dir = wp_upload_dir( null, $create ); |
| 49 | if ( $wp_upload_dir['error'] ) { |
| 50 | throw new \Exception( esc_html( $wp_upload_dir['error'] ) ); |
| 51 | } |
| 52 | |
| 53 | $upload_dir = trailingslashit( $wp_upload_dir['basedir'] ) . 'latepoint'; |
| 54 | if ( $create ) { |
| 55 | if ( ! file_exists( $upload_dir ) ) { |
| 56 | wp_mkdir_p( $upload_dir ); |
| 57 | } |
| 58 | } |
| 59 | return $upload_dir; |
| 60 | } |
| 61 | |
| 62 | public static function upload_csv_file( $files, $file_name ) { |
| 63 | if ( empty( $files[ $file_name ] ) ) { |
| 64 | throw new \Exception( 'File not selected' ); |
| 65 | } |
| 66 | |
| 67 | $file = $files[ $file_name ]; |
| 68 | |
| 69 | // Security: Validate file before upload (defense-in-depth) |
| 70 | if ( ! self::validate_csv_upload( $file ) ) { |
| 71 | throw new \Exception( 'Invalid CSV file format' ); |
| 72 | } |
| 73 | |
| 74 | $upload_dir = OsCsvHelper::get_import_dir(); |
| 75 | $tmp_name = uniqid( 'latepoint_customers_csv_' ) . '.csv'; |
| 76 | $filepath = $upload_dir . '/' . $tmp_name; |
| 77 | |
| 78 | if ( ! move_uploaded_file( $file['tmp_name'][0], $filepath ) ) { |
| 79 | throw new \Exception( 'Error uploading file' ); |
| 80 | } |
| 81 | set_transient( 'csv_import_file_' . OsWpUserHelper::get_current_user_id(), $filepath, 3600 ); |
| 82 | return $filepath; |
| 83 | } |
| 84 | |
| 85 | /** |
| 86 | * Validates CSV file upload using multiple layers of security checks. |
| 87 | * Defense-in-depth approach: extension check, MIME type check, and structure validation. |
| 88 | * |
| 89 | * @param array $file Uploaded file array from $_FILES |
| 90 | * @return bool True if file is valid CSV, false otherwise |
| 91 | */ |
| 92 | public static function validate_csv_upload( $file ): bool { |
| 93 | $file_name = is_array( $file['name'] ) ? $file['name'][0] : $file['name']; |
| 94 | $tmp_name = is_array( $file['tmp_name'] ) ? $file['tmp_name'][0] : $file['tmp_name']; |
| 95 | |
| 96 | if ( ! file_exists( $tmp_name ) ) { |
| 97 | return false; |
| 98 | } |
| 99 | |
| 100 | // Step 1: Validate extension and MIME type using WordPress |
| 101 | $allowed_mimes = [ |
| 102 | 'csv' => 'text/csv', |
| 103 | ]; |
| 104 | $validated = wp_check_filetype_and_ext( $tmp_name, $file_name, $allowed_mimes ); |
| 105 | if ( ! $validated['ext'] || ! $validated['type'] ) { |
| 106 | return false; |
| 107 | } |
| 108 | |
| 109 | // Step 2: Validate CSV structure by attempting to read first line |
| 110 | $handle = fopen( $tmp_name, 'r' ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_read_fopen |
| 111 | if ( $handle === false ) { |
| 112 | return false; |
| 113 | } |
| 114 | |
| 115 | $first_line = fgetcsv( $handle ); |
| 116 | fclose( $handle ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_operations_fclose |
| 117 | |
| 118 | if ( ! is_array( $first_line ) || empty( $first_line ) ) { |
| 119 | return false; |
| 120 | } |
| 121 | |
| 122 | return true; |
| 123 | } |
| 124 | |
| 125 | |
| 126 | public static function is_valid_csv( $file_path ): bool { |
| 127 | $valid_filetypes = [ |
| 128 | 'csv' => 'text/csv', |
| 129 | 'txt' => 'text/plain', |
| 130 | ]; |
| 131 | |
| 132 | $filetype = wp_check_filetype( $file_path, $valid_filetypes ); |
| 133 | |
| 134 | if ( in_array( $filetype['type'], $valid_filetypes, true ) ) { |
| 135 | return true; |
| 136 | } |
| 137 | |
| 138 | return false; |
| 139 | } |
| 140 | |
| 141 | public static function get_csv_data( $file_path, $limit = false ) { |
| 142 | if ( ! file_exists( $file_path ) ) { |
| 143 | throw new \Exception( 'File does not exist' ); |
| 144 | } |
| 145 | |
| 146 | if ( ! OsCSVHelper::is_valid_csv( $file_path ) ) { |
| 147 | throw new \Exception( 'Invalid file format' ); |
| 148 | } |
| 149 | |
| 150 | $data = []; |
| 151 | $i = 0; |
| 152 | if ( ( $handle = fopen( $file_path, 'r' ) ) !== false ) { |
| 153 | while ( ( $row = fgetcsv( $handle ) ) !== false ) { |
| 154 | $data[] = $row; |
| 155 | $i++; |
| 156 | if ( $limit && $i >= $limit ) { |
| 157 | break; |
| 158 | } |
| 159 | } |
| 160 | fclose( $handle ); |
| 161 | } else { |
| 162 | throw new \Exception( 'Error reading file' ); |
| 163 | } |
| 164 | return $data; |
| 165 | } |
| 166 | } |
| 167 |