Security issue with xls_builder retaining data even if template render fails to an exception on a computed field

[amlisirev]

There seems to be a possibly high impact issue with the way the xls_builder handles rendering the column contents. Steps to reproduce:

1. Have the following xls template for an ActiveAdmin resource

  xls do
    whitelist
    column :name do |key|
      custom_helper_that_raises_exception(key)
    end
  end

2. Have the ActiveAdmin resource filtered in to view A and view B so that

• Items from viewA raise no exception with the custom helper
• Some item(s) from viewB raises an exception.

3. First export viewB as xls and have the server throw an error. Now export viewA as xls.

Observed: viewA.xls contains data from viewB
Expected: Every export should be from a clean slate, so viewA.xls should only contain data from viewA.

Haven't had the chance to see if the issue is with my versions, this gem, or the underlying spreadsheet gem. This does pose a security issue with using custom helpers that might throw an uncaught error, thus leaking data between exports.

Versions used:
Ruby 2.3.7p456, Rails 5.0.7.1, ActiveAdmin 1.2.1, ActiveAdmin-xls 2.0.0, Spreadsheet 1.1.7

[thambley]

I understand the issue. I believe the problem is in the Builder class.

Thanks!