[Bug ?] Added unexpected single quotation mark (') to the front of user information

We detected an unexpected single quotation mark(') in front of userId in the log when using export users API and checking this log on Auth0.
Due to this phenomenon, we failed to delete accounts using DELETE user api.
Before Last friday, there was not this single quotation mark in front of userId(and other user meta data)
Is this intentional spec change ? or bugs ?

Hi @kobayashi_t,

Thanks for reaching out to the Auth0 Community!

I understand that you observed an issue exporting your users with the Management API Create export user job endpoint, specifically with an extra quotation mark prepended to the user_id.

I have just tested this myself and found the same observations.

I will reach out to our Engineering Teams to address this issue.

Once I have more information, I will follow up with you.

Thank you.

1 Like

ESD Ticket (ESD-19341): Jira Service Management

1 Like

Hi @kobayashi_t,

I have just received an update from our Engineering Teams that this is not a bug, and the prepended single quote is expected.

Moreover, the CSV encoding is compliant with OWASP recommendations to avoid CSV injection exploits. Before the change, Users could signup with characters in attributes that can trigger formulas in excel or other spreadsheets. As a result, this security measure was released this week.

Our Bulk User Exports documentation has been updated with the following:

Hoped this helps!

Please let me know if there’s anything else I can do to help.

Thank you.

1 Like

Hello @rueben.tiow ,
Thank you for your quick report.
I understood this change is intentionally spec change for the counter measure to vulnerability.

BTW, in case of these kind of changes, is it accnouced to the customer in advance ?
Our team detected this change without any annoucement.
If you know the best way to know such kind of change, would you please let me know.

1 Like

Hi @kobayashi_t,

Thank you for your response!

Generally, we do announce our updates. However, in this instance, thank you for bringing to our attention that our documentation did not reflect the newly deployed changes.

Should you encounter another breaking change like this, please reach out, and we would be more than happy to look into it for you.

Please let me know if you have any additional questions.

Thank you.

1 Like

Hi @rueben.tiow ,
Thank you for your quick reply.

Regarding the announcement of software update, could we see these kind of information like release note in Auth0 ?
If yes, would you please let me know.

Hi @kobayashi_t,

Thank you for your response.

At the moment, our software updates announcements usually include news on the latest features and updates in Auth0 such as product releases, deprecations, migrations, or bug fixes.

I cannot speak to whether updates like the one we observed with exporting users in CSV will be announced in these software update announcements. However, if you find any unexpected behaviors, I recommend checking our Auth0 documentation for the feature in question or directly reaching out to us for help.

Hoped this helps!

Thank you.