[Bug fix] Sanitize csv mails (#453)

* added an if statement to add quotation marks to csv files containing commas

* fixed issue

* fixed an issue with escape characters

* formatting

* removed debugging information

* changed implementation of the bug fix to a more robust solution

* formatting

* implemented comments

---------

Co-authored-by: Kresten Laust <[email protected]>

stregsystem/fixtures/testdata.json

@@ -58,6 +58,19 @@
       ]
     }
   },
+  {
+    "model": "stregsystem.product",
+    "pk": 42,
+    "fields": {
+      "name": "Fadøl, en is og et søm\"",
+      "price": 3000,
+      "active": true,
+      "deactivate_date": null,
+      "rooms": [
+        1
+      ]
+    }
+  },
   {
     "model": "stregsystem.product",
     "pk": 13,
@@ -144,6 +157,17 @@
       "price": 300
     }
   },
+  {
+    "model": "stregsystem.sale",
+    "pk": 3,
+    "fields": {
+      "member": 1,
+      "product": 42,
+      "room": 1,
+      "timestamp": "2017-03-13T13:38:10.573+00:00",
+      "price": 300
+    }
+  },
   {
     "model": "auth.user",
     "pk": 1,

stregsystem/mail.py

@@ -10,6 +10,7 @@
 from django.utils.html import escape
 from django.utils import timezone
 from stregsystem.templatetags.stregsystem_extras import money
+from stregsystem.utils import rows_to_csv
 
 logger = logging.getLogger(__name__)
 
@@ -35,11 +36,6 @@ def send_payment_mail(member, amount, mobilepay_comment):
 data_sent = {}
 
 
-# little function to make sure the csv data always has the same format
-def rows_to_csv(rows) -> str:
-    return "\n".join(','.join([str(item) for item in row]) for row in rows)
-
-
 def send_userdata_mail(member):
     from .models import Payment, Sale, MobilePayment
 
@@ -73,7 +69,7 @@ def send_userdata_mail(member):
         "send_csv.html",
         {**vars(member), "fember": member.username},
         f'{member.username} has requested their user data!',
-        {"sales.csv": sales_csv, "payments.csv": payments_csv, "userdata.csv": userdata_csv},
+        {"sales.csv": sales_csv.encode(), "payments.csv": payments_csv.encode(), "userdata.csv": userdata_csv.encode()},
     )
     member.save()
     return True

stregsystem/utils.py

@@ -1,5 +1,6 @@
 import logging
 import re
+import csv
 
 from django.utils.dateparse import parse_datetime
 from django.conf import settings
@@ -163,3 +164,18 @@ def __init__(self, racy_mbpayments: QuerySet):
         self.racy_mbpayments = racy_mbpayments
         self.inconsistent_mbpayments_count = self.racy_mbpayments.count()
         self.inconsistent_transaction_ids = [x.transaction_id for x in self.racy_mbpayments]
+
+
+class fakefile:
+    data = ""
+
+    def write(self, data):
+        self.data += data
+
+
+# little function to make sure the csv data always has the same format
+def rows_to_csv(rows) -> str:
+    file = fakefile()
+    # Converting elements in rows to strings to ensure it can be written to the file object
+    csv.writer(file).writerows([[str(item) for item in row] for row in rows])
+    return file.data