PluginProbe ʕ •ᴥ•ʔ
LatePoint – Calendar Booking Plugin for Appointments and Events / trunk
LatePoint – Calendar Booking Plugin for Appointments and Events vtrunk
5.6.7 5.6.6 5.6.5 5.6.4 5.6.3 5.6.2 5.6.1 5.6.0 5.5.2 5.5.1 5.5.0 5.4.2 trunk 5.1.0 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.1.8 5.1.9 5.1.91 5.1.92 5.1.93 5.1.94 5.2.0 5.2.1 5.2.10 5.2.11 5.2.2 5.2.3 5.2.4 5.2.5 5.2.6 5.2.7 5.2.8 5.2.9 5.3.0 5.3.1 5.3.2 5.4.0 5.4.1
latepoint / lib / helpers / csv_helper.php
latepoint / lib / helpers Last commit date
activities_helper.php 3 months ago agent_helper.php 3 months ago analytics_helper.php 1 week ago auth_helper.php 6 days ago blocks_helper.php 3 weeks ago booking_helper.php 4 days ago bricks_helper.php 3 months ago bundles_helper.php 4 days ago calendar_helper.php 3 days ago carts_helper.php 3 months ago connector_helper.php 3 months ago csv_helper.php 3 months ago customer_helper.php 1 month ago customer_import_helper.php 1 month ago database_helper.php 1 week ago debug_helper.php 3 months ago defaults_helper.php 3 months ago elementor_helper.php 3 months ago email_helper.php 3 months ago encrypt_helper.php 3 months ago events_helper.php 3 months ago form_helper.php 3 months ago icalendar_helper.php 3 months ago image_helper.php 3 months ago invoices_helper.php 3 weeks ago license_helper.php 3 months ago location_helper.php 3 months ago marketing_systems_helper.php 3 months ago meeting_systems_helper.php 3 months ago menu_helper.php 3 weeks ago meta_helper.php 3 months ago migrations_helper.php 3 months ago money_helper.php 3 months ago notifications_helper.php 3 months ago nps_survey_helper.php 3 months ago order_intent_helper.php 2 months ago orders_helper.php 11 hours ago otp_helper.php 3 months ago pages_helper.php 3 months ago params_helper.php 3 months ago payments_helper.php 11 hours ago plugin_version_update_helper.php 2 months ago price_breakdown_helper.php 3 months ago process_jobs_helper.php 3 months ago processes_helper.php 3 months ago razorpay_connect_helper.php 1 week ago replacer_helper.php 3 months ago resource_helper.php 4 days ago roles_helper.php 3 weeks ago router_helper.php 3 months ago service_helper.php 3 months ago sessions_helper.php 3 months ago settings_helper.php 1 week ago short_links_systems_helper.php 3 months ago shortcodes_helper.php 3 weeks ago sms_helper.php 3 months ago steps_helper.php 11 hours ago stripe_connect_helper.php 1 week ago styles_helper.php 3 months ago support_topics_helper.php 3 months ago time_helper.php 2 months ago timeline_helper.php 2 months ago transaction_helper.php 1 month ago transaction_intent_helper.php 3 months ago util_helper.php 1 month ago version_specific_updates_helper.php 3 months ago whatsapp_helper.php 1 month ago work_periods_helper.php 3 months ago wp_datetime.php 3 months ago wp_user_helper.php 3 months ago
csv_helper.php
167 lines
1 <?php
2
3 class OsCSVHelper {
4 /**
5 * Escape CSV formula injection by prefixing with single quote
6 *
7 * Prevents CSV formula injection attacks where formulas starting with =, +, -, @, tab, or pipe
8 * could execute when CSV is opened in Excel/Google Sheets/Apple Numbers.
9 * Uses single quote prefix which is recognized as a text marker across all major spreadsheet apps.
10 *
11 * @since 5.1.0 Security fix for CSV formula injection
12 * @param mixed $value Value to escape
13 * @return mixed Escaped value
14 */
15 public static function escape_csv_formula( $value ) {
16 if ( ! is_string( $value ) || strlen( $value ) === 0 ) {
17 return $value;
18 }
19
20 $first_char = $value[0];
21 // OWASP-recommended dangerous prefixes: =, +, -, @, tab, pipe
22 $dangerous_chars = [ '=', '+', '-', '@', "\t", '|' ];
23
24 if ( in_array( $first_char, $dangerous_chars, true ) ) {
25 return "'" . $value; // Prepend single quote to neutralize formula
26 }
27
28 // Strip embedded newlines to prevent multi-row injection
29 if ( strpos( $value, "\r" ) !== false || strpos( $value, "\n" ) !== false ) {
30 return str_replace( [ "\r", "\n" ], '', $value );
31 }
32
33 return $value;
34 }
35
36 public static function array_to_csv( $data ) {
37 $output = fopen( 'php://output', 'wb' ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_read_fopen
38 foreach ( $data as $row ) {
39 // Escape each cell to prevent CSV formula injection
40 $escaped_row = array_map( [ self::class, 'escape_csv_formula' ], $row );
41 fputcsv( $output, $escaped_row );
42 }
43 fclose( $output ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_operations_fclose
44 }
45
46
47 public static function get_import_dir( bool $create = true ): string {
48 $wp_upload_dir = wp_upload_dir( null, $create );
49 if ( $wp_upload_dir['error'] ) {
50 throw new \Exception( esc_html( $wp_upload_dir['error'] ) );
51 }
52
53 $upload_dir = trailingslashit( $wp_upload_dir['basedir'] ) . 'latepoint';
54 if ( $create ) {
55 if ( ! file_exists( $upload_dir ) ) {
56 wp_mkdir_p( $upload_dir );
57 }
58 }
59 return $upload_dir;
60 }
61
62 public static function upload_csv_file( $files, $file_name ) {
63 if ( empty( $files[ $file_name ] ) ) {
64 throw new \Exception( 'File not selected' );
65 }
66
67 $file = $files[ $file_name ];
68
69 // Security: Validate file before upload (defense-in-depth)
70 if ( ! self::validate_csv_upload( $file ) ) {
71 throw new \Exception( 'Invalid CSV file format' );
72 }
73
74 $upload_dir = OsCsvHelper::get_import_dir();
75 $tmp_name = uniqid( 'latepoint_customers_csv_' ) . '.csv';
76 $filepath = $upload_dir . '/' . $tmp_name;
77
78 if ( ! move_uploaded_file( $file['tmp_name'][0], $filepath ) ) {
79 throw new \Exception( 'Error uploading file' );
80 }
81 set_transient( 'csv_import_file_' . OsWpUserHelper::get_current_user_id(), $filepath, 3600 );
82 return $filepath;
83 }
84
85 /**
86 * Validates CSV file upload using multiple layers of security checks.
87 * Defense-in-depth approach: extension check, MIME type check, and structure validation.
88 *
89 * @param array $file Uploaded file array from $_FILES
90 * @return bool True if file is valid CSV, false otherwise
91 */
92 public static function validate_csv_upload( $file ): bool {
93 $file_name = is_array( $file['name'] ) ? $file['name'][0] : $file['name'];
94 $tmp_name = is_array( $file['tmp_name'] ) ? $file['tmp_name'][0] : $file['tmp_name'];
95
96 if ( ! file_exists( $tmp_name ) ) {
97 return false;
98 }
99
100 // Step 1: Validate extension and MIME type using WordPress
101 $allowed_mimes = [
102 'csv' => 'text/csv',
103 ];
104 $validated = wp_check_filetype_and_ext( $tmp_name, $file_name, $allowed_mimes );
105 if ( ! $validated['ext'] || ! $validated['type'] ) {
106 return false;
107 }
108
109 // Step 2: Validate CSV structure by attempting to read first line
110 $handle = fopen( $tmp_name, 'r' ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_read_fopen
111 if ( $handle === false ) {
112 return false;
113 }
114
115 $first_line = fgetcsv( $handle );
116 fclose( $handle ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_operations_fclose
117
118 if ( ! is_array( $first_line ) || empty( $first_line ) ) {
119 return false;
120 }
121
122 return true;
123 }
124
125
126 public static function is_valid_csv( $file_path ): bool {
127 $valid_filetypes = [
128 'csv' => 'text/csv',
129 'txt' => 'text/plain',
130 ];
131
132 $filetype = wp_check_filetype( $file_path, $valid_filetypes );
133
134 if ( in_array( $filetype['type'], $valid_filetypes, true ) ) {
135 return true;
136 }
137
138 return false;
139 }
140
141 public static function get_csv_data( $file_path, $limit = false ) {
142 if ( ! file_exists( $file_path ) ) {
143 throw new \Exception( 'File does not exist' );
144 }
145
146 if ( ! OsCSVHelper::is_valid_csv( $file_path ) ) {
147 throw new \Exception( 'Invalid file format' );
148 }
149
150 $data = [];
151 $i = 0;
152 if ( ( $handle = fopen( $file_path, 'r' ) ) !== false ) {
153 while ( ( $row = fgetcsv( $handle ) ) !== false ) {
154 $data[] = $row;
155 $i++;
156 if ( $limit && $i >= $limit ) {
157 break;
158 }
159 }
160 fclose( $handle );
161 } else {
162 throw new \Exception( 'Error reading file' );
163 }
164 return $data;
165 }
166 }
167