Redmine

When a spreadsheet program such as Excel or LibreOffice Calc is used to open a CSV/XLS/XLSX, any cells starting with =, +, -, @ will be interpreted by the software as a formula. Maliciously crafted formulas can be used for multiple attacks:  Executing client-side system commands Exploiting known vulnerabilities in spreadsheets software  Exfiltrating the contents of the spreadsheet to an external source 
Phishing

It was observed that an user can add subject and description of an issue that can contain malicious spreadsheet formulas, those formulas will be executed through the client-side which exports the objects through a CSV file and XSLX
file.

Example:
1. Add a issue with the subject name:
=HYPERLINK
3. Export the CSV file
4. Open the CSV locally, you will see a cell with the following payload:
“Click here”, and if clicked, you will be redirected to
to <sample site>
Solution: ========
The best way to mitigate against this type of issue is to make sure all user inputs are filtered so only expected characters are allowed. To mitigate against CSV injections, a default-deny regular expression or “whitelist” regular

Code Changes for field validation: ==================================
Fine Name:= \models\issue.rb
line no: 68
You can edit regular expressions as per your requirements

#added for subject and ddescription validation to avoid CSV injection
validates_format_of :subject, with: /\A[a-zA-Z0-9\s_.-]+\Z/, :message => "not valid. special characters are not allowed"
validates_format_of :description, with: /\A[a-zA-Z0-9\s_.-;:,]+\Z/, :message => "not valid. Some special characters are not allowed"