From 4d0df9b950e214fa615695fb1b9e4328babeb18c Mon Sep 17 00:00:00 2001
From: Zach Gollwitzer <zach@maybe.co>
Date: Fri, 28 Feb 2025 12:21:07 -0500
Subject: [PATCH] Escape quotations in CSV imports properly (#1929)

* Parse quotes in imports

* Update invalid CSV for test
---
 app/controllers/import/uploads_controller.rb |  4 +---
 app/models/import.rb                         | 19 +++++++++++++------
 test/fixtures/files/imports/invalid.csv      |  4 +---
 3 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/app/controllers/import/uploads_controller.rb b/app/controllers/import/uploads_controller.rb
index f3c65d6e..8efc7c75 100644
--- a/app/controllers/import/uploads_controller.rb
+++ b/app/controllers/import/uploads_controller.rb
@@ -29,10 +29,8 @@ class Import::UploadsController < ApplicationController
     end
 
     def csv_valid?(str)
-      require "csv"
-
       begin
-        csv = CSV.parse(str || "", headers: true, col_sep: upload_params[:col_sep])
+        csv = Import.parse_csv_str(str, col_sep: upload_params[:col_sep])
         return false if csv.headers.empty?
         return false if csv.count == 0
         true
diff --git a/app/models/import.rb b/app/models/import.rb
index 9542e187..9a21d6bd 100644
--- a/app/models/import.rb
+++ b/app/models/import.rb
@@ -34,6 +34,18 @@ class Import < ApplicationRecord
   has_many :accounts, dependent: :destroy
   has_many :entries, dependent: :destroy, class_name: "Account::Entry"
 
+  class << self
+    def parse_csv_str(csv_str, col_sep: ",")
+      CSV.parse(
+        (csv_str || "").strip,
+        headers: true,
+        col_sep: col_sep,
+        converters: [ ->(str) { str&.strip } ],
+        liberal_parsing: true
+      )
+    end
+  end
+
   def publish_later
     raise "Import is not publishable" unless publishable?
 
@@ -178,12 +190,7 @@ class Import < ApplicationRecord
     end
 
     def parsed_csv
-      @parsed_csv ||= CSV.parse(
-        (raw_file_str || "").strip,
-        headers: true,
-        col_sep: col_sep,
-        converters: [ ->(str) { str&.strip } ]
-      )
+      @parsed_csv ||= self.class.parse_csv_str(raw_file_str, col_sep: col_sep)
     end
 
     def sanitize_number(value)
diff --git a/test/fixtures/files/imports/invalid.csv b/test/fixtures/files/imports/invalid.csv
index cae4503c..b8552222 100644
--- a/test/fixtures/files/imports/invalid.csv
+++ b/test/fixtures/files/imports/invalid.csv
@@ -1,3 +1 @@
-name,age
-"John Doe,23
-"Jane Doe",25
\ No newline at end of file
+name,description,amount,currency
\ No newline at end of file