From 3c80c065545ac94f1e94f8cd485deb260265111b Mon Sep 17 00:00:00 2001
From: Dirk <dirk@testssl.sh>
Date: Wed, 19 Sep 2018 11:57:42 +0200
Subject: [PATCH] Fix filename expansion in CSV output

(Backport of 2.9.5 branch)

This commit fixes #1123 where a security header containing an asterix lead
to a local filename expansion which was included in the CSV file output.
A new function fileout_csv_finding() addresses this.

Also if "$GIVE_HINTS" isn't true the headline and each line in the CSV file doesn't include
anymore the word hint -- which is more consistent with the JSON output.
---
 testssl.sh | 31 +++++++++++++++++++++++++------
 1 file changed, 25 insertions(+), 6 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index b55d96a..ea02593 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -701,7 +701,7 @@ fileout_json_finding() {
           echo -e "\n          }" >> "$JSONFILE"
     fi
     if "$do_pretty_json"; then
-        if [[ "$1" == "service" ]]; then
+        if [[ "$1" == service ]]; then
             if [[ $SERVER_COUNTER -gt 1 ]]; then
                 echo "          ," >> "$JSONFILE"
             fi
@@ -804,6 +804,21 @@ fileout_insert_warning() {
      fi
 }
 
+fileout_csv_finding() {
+     tm_out "\"$1\"," >> "$CSVFILE"
+     tm_out "\"$2\"," >> "$CSVFILE"
+     tm_out "\"$3\"," >> "$CSVFILE"
+     tm_out "\"$4\"," >> "$CSVFILE"
+     tm_out "\"$5\"," >> "$CSVFILE"
+     tm_out "\"$6\"," >> "$CSVFILE"
+     if "$GIVE_HINTS"; then
+          tm_out "\"$7\"," >> "$CSVFILE"
+          tm_out "\"$8\"\n" >> "$CSVFILE"
+     else
+          tm_out "\"$7\"\n" >> "$CSVFILE"
+     fi
+}
+
 
 # ID, SEVERITY, FINDING, CVE, CWE, HINT
 fileout() {
@@ -812,11 +827,11 @@ fileout() {
      local cwe="$5"
      local hint="$6"
 
-     if ( "$do_pretty_json" && [[ "$1" == "service" ]] ) || show_finding "$severity"; then
-         local finding=$(strip_lf "$(newline_to_spaces "$(strip_quote "$3")")")
-         [[ -e "$JSONFILE" ]] && [[ ! -d "$JSONFILE" ]] && (fileout_json_finding "$1" "$severity" "$finding" "$cve" "$cwe" "$hint")
+     if ( "$do_pretty_json" && [[ "$1" == service ]] ) || show_finding "$severity"; then
+         local finding=$(strip_lf "$(newline_to_spaces "$(strip_quote "$3")")")           # additional quotes will mess up screen output
+         [[ -e "$JSONFILE" ]] && [[ ! -d "$JSONFILE" ]] && fileout_json_finding "$1" "$severity" "$finding" "$cve" "$cwe" "$hint"
          "$do_csv" && [[ -n "$CSVFILE" ]] && [[ ! -d "$CSVFILE" ]] && \
-              echo -e \""$1\"",\"$NODE/$NODEIP\",\"$PORT"\",\""$severity"\",\""$finding"\",\""$cve"\",\""$cwe"\",\""$hint"\"" >> "$CSVFILE"
+               fileout_csv_finding "$1" "$severity" "$finding" "$cve" "$cwe" "$hint"
      "$FIRST_FINDING" && FIRST_FINDING=false
      fi
 }
@@ -896,7 +911,11 @@ csv_header() {
           CSVHEADER=false
      else
           [[ -e "$CSVFILE" ]] && fatal "\"$CSVFILE\" exists. Either use \"--append\" or (re)move it" 1
-          echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\",\"cve\",\"cwe\",\"hint\"" > "$CSVFILE"
+          if "$GIVE_HINTS"; then
+               fileout_csv_finding "id" "fqdn/ip" "port" "severity" "finding" "cve" "cwe" "hint" > "$CSVFILE"
+          else
+               fileout_csv_finding "id" "fqdn/ip" "port" "severity" "finding" "cve" "cwe" > "$CSVFILE"
+          fi
      fi
      return 0
 }