[Security] CSV injection via contact names — formula injection in export

[hhhashexe]

Description

Contact names can contain spreadsheet formulas (=CMD("calc.exe"), +cmd|" /C calc"!A0) which are stored and exported to CSV without sanitization.

When a user exports contacts via /api/contacts/export, the CSV contains:

phone,name
"+15559999999","=CMD(""calc.exe"")"
"+15558888888","+cmd|"" /C calc""!A0"

Steps to Reproduce

1. Create a contact with name =CMD("calc.exe")
2. Go to Settings → Import/Export → Export CSV
3. Open in Excel/Google Sheets
4. Formula may execute

Impact

• CSV Injection / Formula Injection — malicious formulas execute when opened in spreadsheet software
• An attacker who can set their own phone number's contact name (e.g., via social engineering) could craft a payload that executes when the victim exports contacts
• Can exfiltrate data or run commands depending on spreadsheet app

Fix

Prefix cell values starting with =, +, -, @, \t, \r, \n with a single quote:

function sanitizeCsvValue(value: string): string {
  if (/^[=+\-@\t\r\n]/.test(value)) {
    return "'" + value;
  }
  return value;
}

Severity

🔴 High — data exfiltration / code execution via social engineering