APPT-2062 Fixing CSV function injection (#1635)

Dave-O-NHS · web-flow · commit 43955af3f856 · 2026-04-23T10:00:19.000+01:00
# Description

This PR addresses security vulnerability CK2026-X3R0M-4637-01
(CSV/Formula Injection). It ensures that all exported CSV data is
properly neutralized and escaped before being transmitted to the user,
preventing malicious formula execution in spreadsheet applications like
Microsoft Excel.

# Checklist:

- [ ] My work is behind a feature toggle (if appropriate)
- [ ] If my work is behind a feature toggle, I've added a full suite of
tests for both the ON and OFF state
- [ ] The ticket number is in the Pull Request title, with format
"APPT-XXX: My Title Here"
- [ ] I have ran npm tsc / lint (in the future these will be ran
automatically)
- [ ] My code generates no new .NET warnings (in the future these will
be treated as errors)
- [ ] If I've added a new Function, it is disabled in all but one of the
terraform groups (e.g. http_functions)
- [ ] If I've added a new Function, it has both unit and integration
tests. Any request body validators have unit tests also
- [ ] If I've made UI changes, I've added appropriate Playwright and
Jest tests
- [ ] If I've added/updated an end-point, I've added the appropriate
annotations and tested the Swagger documentation reflects the change
diff --git a/src/api/Nhs.Appointments.Core/Reports/Helpers/CsvFormatter.cs b/src/api/Nhs.Appointments.Core/Reports/Helpers/CsvFormatter.cs
@@ -0,0 +1,21 @@
+namespace Nhs.Appointments.Core.Reports.Helpers;
+
+public static class CsvFormatter
+{
+    private static readonly char[] FormulaTriggers = { '=', '+', '-', '@' };
+
+    /// <summary>
+    /// Neutralizes CSV Injection (Formula Injection) and handles standard CSV escaping.
+    /// </summary>
+    public static string FormatValue(string value)
+    {
+        if (string.IsNullOrEmpty(value)) return "\"\"";
+
+        if (value.Trim().IndexOfAny(FormulaTriggers) == 0)
+        {
+            value = "'" + value;
+        }
+
+        return "\"" + value.Replace("\"", "\"\"") + "\"";
+    }
+}
diff --git a/src/api/Nhs.Appointments.Core/Reports/MasterSiteList/MasterSiteListReportCsvWriter.cs b/src/api/Nhs.Appointments.Core/Reports/MasterSiteList/MasterSiteListReportCsvWriter.cs
@@ -1,3 +1,4 @@
+using Nhs.Appointments.Core.Reports.Helpers;
 using Nhs.Appointments.Core.Sites;
 
 namespace Nhs.Appointments.Core.Reports.MasterSiteList;
@@ -17,8 +18,6 @@ public class MasterSiteListReportCsvWriter(TimeProvider timeProvider) : IMasterS
     private string BuildFileName() =>
     $"MasterSiteListReport_{timeProvider.GetUtcNow():yyyyMMddhhmmss}.csv";
 
-    private static string CsvStringValue(string value) => "\"" + value + "\"";
-
     private async Task CompileCsv(TextWriter csvWriter, IEnumerable<Site> sites)
     {
         await csvWriter.WriteLineAsync(string.Join(',', MasterSiteListReportMap.Headers()));
@@ -27,18 +26,18 @@ private async Task CompileCsv(TextWriter csvWriter, IEnumerable<Site> sites)
         {
             try
             {
-                await csvWriter.WriteLineAsync(string.Join(',', 
-                    CsvStringValue(MasterSiteListReportMap.SiteName(site)),
-                    CsvStringValue(MasterSiteListReportMap.OdsCode(site)), 
-                    CsvStringValue(MasterSiteListReportMap.SiteType(site)),
-                    CsvStringValue(MasterSiteListReportMap.Region(site)),
-                    CsvStringValue(MasterSiteListReportMap.ICB(site)),
-                    CsvStringValue(MasterSiteListReportMap.Guid(site)),
+                await csvWriter.WriteLineAsync(string.Join(',',
+                    CsvFormatter.FormatValue(MasterSiteListReportMap.SiteName(site)),
+                    CsvFormatter.FormatValue(MasterSiteListReportMap.OdsCode(site)), 
+                    CsvFormatter.FormatValue(MasterSiteListReportMap.SiteType(site)),
+                    CsvFormatter.FormatValue(MasterSiteListReportMap.Region(site)),
+                    CsvFormatter.FormatValue(MasterSiteListReportMap.ICB(site)),
+                    CsvFormatter.FormatValue(MasterSiteListReportMap.Guid(site)),
                     MasterSiteListReportMap.IsDeleted(site),
-                    CsvStringValue(MasterSiteListReportMap.Status(site)),
+                    CsvFormatter.FormatValue(MasterSiteListReportMap.Status(site)),
                     MasterSiteListReportMap.Longitude(site),
                     MasterSiteListReportMap.Latitude(site),
-                    CsvStringValue(MasterSiteListReportMap.Address(site))
+                    CsvFormatter.FormatValue(MasterSiteListReportMap.Address(site))
                    ));
 
             }
diff --git a/src/api/Nhs.Appointments.Core/Reports/SiteSummary/SiteReportCsvWriter.cs b/src/api/Nhs.Appointments.Core/Reports/SiteSummary/SiteReportCsvWriter.cs
@@ -1,3 +1,4 @@
+using Nhs.Appointments.Core.Reports.Helpers;
 using Nhs.Appointments.Core.Sites;
 
 namespace Nhs.Appointments.Core.Reports.SiteSummary;
@@ -21,8 +22,6 @@ private string BuildFileName(DateOnly startDate,
         DateOnly endDate) =>
         $"SiteReport_{startDate:yyyy-MM-dd}_{endDate:yyyy-MM-dd}_{timeProvider.GetUtcNow():yyyyMMddhhmmss}.csv";
 
-    private static string CsvStringValue(string value) => "\"" + value + "\"";
-
     private async Task CompileCsv(TextWriter csvWriter, List<SiteReport> siteReports)
     {
         var distinctServices = siteReports.SelectMany(x => x.Bookings.Keys)
@@ -33,18 +32,22 @@ private async Task CompileCsv(TextWriter csvWriter, List<SiteReport> siteReports
 
         foreach (var siteReport in siteReports)
         {
-            await csvWriter.WriteLineAsync(string.Join(',', CsvStringValue(SiteReportMap.SiteName(siteReport)),
-                CsvStringValue(SiteReportMap.Status(siteReport)),
-                CsvStringValue(SiteReportMap.SiteType(siteReport)),
-                CsvStringValue(SiteReportMap.ICB(siteReport)), CsvStringValue(SiteReportMap.ICBName(siteReport)),
-                CsvStringValue(SiteReportMap.Region(siteReport)), CsvStringValue(SiteReportMap.RegionName(siteReport)),
-                CsvStringValue(SiteReportMap.OdsCode(siteReport)), SiteReportMap.Longitude(siteReport),
+            await csvWriter.WriteLineAsync(string.Join(',', 
+                CsvFormatter.FormatValue(SiteReportMap.SiteName(siteReport)),
+                CsvFormatter.FormatValue(SiteReportMap.Status(siteReport)),
+                CsvFormatter.FormatValue(SiteReportMap.SiteType(siteReport)),
+                CsvFormatter.FormatValue(SiteReportMap.ICB(siteReport)), 
+                CsvFormatter.FormatValue(SiteReportMap.ICBName(siteReport)),
+                CsvFormatter.FormatValue(SiteReportMap.Region(siteReport)), 
+                CsvFormatter.FormatValue(SiteReportMap.RegionName(siteReport)),
+                CsvFormatter.FormatValue(SiteReportMap.OdsCode(siteReport)), 
+                SiteReportMap.Longitude(siteReport),
                 SiteReportMap.Latitude(siteReport),
                 string.Join(',', distinctServices.Select(service => SiteReportMap.BookingsCount(siteReport, service))),
                 SiteReportMap.TotalBookings(siteReport).ToString(), SiteReportMap.Cancelled(siteReport).ToString(),
                 SiteReportMap.MaximumCapacity(siteReport).ToString(),
-                string.Join(',',
-                    distinctServices.Select(service => SiteReportMap.CapacityCount(siteReport, service)))));
+                string.Join(',',distinctServices.Select(service => SiteReportMap.CapacityCount(siteReport, service)))
+            ));
         }
     }
 }
diff --git a/tests/Nhs.Appointments.Core.UnitTests/Reports/Helpers/CsvFormatterTests.cs b/tests/Nhs.Appointments.Core.UnitTests/Reports/Helpers/CsvFormatterTests.cs
@@ -0,0 +1,39 @@
+using Nhs.Appointments.Core.Reports.Helpers;
+
+namespace Nhs.Appointments.Core.UnitTests.Reports.Helpers;
+
+public class CsvFormatterTests
+{
+    [Theory]
+    // Standard cases
+    [InlineData("Robin Lane", "\"Robin Lane\"")]
+    [InlineData("", "\"\"")]
+    [InlineData(null, "\"\"")]
+
+    // Security: Formula Injection neutralization
+    [InlineData("=SUM(1,1)", "\"'=SUM(1,1)\"")]
+    [InlineData("+44123", "\"'+44123\"")]
+    [InlineData("-12.5", "\"'-12.5\"")]
+    [InlineData("@username", "\"'@username\"")]
+
+    // These test that even if there are spaces/tabs before the trigger, we still neutralize it.
+    [InlineData(" =SUM(1,1)", "\"' =SUM(1,1)\"")]   // Leading space
+    [InlineData("  @admin", "\"'  @admin\"")]       // Multiple spaces
+    [InlineData("\t-5", "\"'\t-5\"")]                // Leading tab
+    [InlineData("\r+10", "\"'\r+10\"")]              // Leading carriage return
+
+    // Integrity: Double quote escaping
+    [InlineData("Health \"Express\"", "\"Health \"\"Express\"\"\"")]
+    [InlineData("\"Quoted\"", "\"\"\"Quoted\"\"\"")]
+
+    // Combined: Formula + Quotes
+    [InlineData("=A1&\"leak\"", "\"'=A1&\"\"leak\"\"\"")]
+    public void FormatValue_ShouldNeutralizeAndEscapeCorrectly(string input, string expected)
+    {
+        // Act
+        var result = CsvFormatter.FormatValue(input);
+
+        // Assert
+        result.Should().Be(expected);
+    }
+}
