feat/CUS-9874-Added support to upload section

[akhil-testsigma]

Publish this addon as public

Addon Name: FetchCSVdata_ByparticularData
Jarvis Link: https://jarvis.testsigma.com/ui/tenants/2817/addons
Jira : https://testsigma.atlassian.net/browse/CUS-9874
Added support to upload section

Summary by CodeRabbit

Release Notes

• New Features

  • Added CSV file processing capability supporting local paths and HTTP URLs, enabling users to search for values and extract corresponding data into runtime variables.

• Chores

  • Added Maven project configuration and SDK setup for the new CSV data module.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR introduces a new Testsigma addon Maven project for CSV data fetching. It includes the pom.xml with project configuration and dependencies, a new FetchCSVData action class that reads CSV files from local or HTTP sources, searches for target values, and extracts corresponding column values into runtime variables, plus SDK configuration properties.

Changes

Cohort / File(s)	Summary
Project Configuration fetchcsvdata_byparticulardata/pom.xml	New Maven project setup with coordinates (groupId: com.testsigma.addons, version: 1.0.1), Java 11 compatibility, and dependencies including testsigma-sdk, lombok, OpenCSV, Selenium, Appium, and Jackson. Configured build plugins for shaded JAR and source attachment.
CSV Data Fetching Implementation fetchcsvdata_byparticulardata/src/main/java/com/testsigma/addons/web/FetchCSVData.java	New action class that reads CSV files via filepath or HTTP URL, downloads remote files to temporary location, parses CSV content, searches for target values, extracts values from specified column index, and stores results in runtime variables. Includes error handling for IO and general exceptions.
SDK Configuration fetchcsvdata_byparticulardata/src/main/resources/testsigma-sdk.properties	Adds testsigma-sdk.api.key property with JWT token for SDK authentication.

Sequence Diagram

sequenceDiagram
    actor User as Test Case
    participant Action as FetchCSVData Action
    participant FileSystem as File System / HTTP
    participant Parser as CSV Parser
    participant Storage as Runtime Variable
    
    User->>Action: execute(filepath, targetvalue, columnindex)
    activate Action
    
    alt Is HTTP URL
        Action->>FileSystem: downloadFile(url)
        activate FileSystem
        FileSystem-->>Action: temp file
        deactivate FileSystem
    else Local Path
        Action->>FileSystem: open file
    end
    
    Action->>Parser: read CSV file
    activate Parser
    Parser->>Parser: iterate rows & cells
    
    loop Until target found
        Parser->>Parser: search for targetvalue
    end
    
    Parser-->>Action: row with target found
    deactivate Parser
    
    Action->>Action: extract value from column[index]
    Action->>Storage: store value in runtime variable
    activate Storage
    Storage-->>Action: confirmation
    deactivate Storage
    
    Action-->>User: Result SUCCESS + message
    deactivate Action

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat/TE-26116-Updated the code logic and added proper loggers, success and error messages #135: Introduces a similar CSV-reading WebAction (ReadCsvFile) with comparable execute logic, CSV parsing, and dependency/configuration changes that parallel this implementation.

Suggested reviewers

• Ganesh-Testsigma
• vigneshtestsigma

Poem

🐰 A rabbit hops through CSV rows,
Seeking values that it knows,
Downloads from the web so free,
Stores each find with glee! 📊✨
Data flows through runtime's heart,
Testsigma plays its finest part.

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title mentions 'upload section' but the changeset introduces a CSV data fetching addon that reads CSV files and extracts data by row matching—not upload functionality.	Update the title to reflect the actual change, such as 'feat: Add FetchCSVData addon to extract data from CSV files by row matching' or similar.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/CUS-9874-Added-support-to-upload-section

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (2)

fetchcsvdata_byparticulardata/src/main/java/com/testsigma/addons/web/FetchCSVData.java (2)

81-86: Avoid catching generic Exception.

Catching Exception is too broad and can hide unexpected errors. Catch specific exceptions like IOException, FileNotFoundException, or CsvException for better error handling and debugging.

🔎 Proposed refactor

-		}catch (Exception e) {
+		} catch (IOException | CsvException e) {
 			String errorMessage = ExceptionUtils.getStackTrace(e);
 			result = com.testsigma.sdk.Result.FAILED;
 			setErrorMessage(errorMessage);
 			logger.warn(errorMessage);	
 		} 

---

38-38: Remove unused exception declaration.

The method signature declares throws NoSuchElementException but this exception is never thrown. Additionally, NoSuchElementException is imported from Selenium (line 12) but appears unused.

🔎 Proposed cleanup

 	@Override
-	public com.testsigma.sdk.Result execute() throws NoSuchElementException {
+	public com.testsigma.sdk.Result execute() {

And remove the unused import:

 import lombok.Data;
 import org.apache.commons.lang3.exception.ExceptionUtils;
-import org.openqa.selenium.NoSuchElementException;
 
 import java.io.*;

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 56f9f38 and c6217fb.

📒 Files selected for processing (3)

• fetchcsvdata_byparticulardata/pom.xml
• fetchcsvdata_byparticulardata/src/main/java/com/testsigma/addons/web/FetchCSVData.java
• fetchcsvdata_byparticulardata/src/main/resources/testsigma-sdk.properties

🔇 Additional comments (2)

fetchcsvdata_byparticulardata/src/main/java/com/testsigma/addons/web/FetchCSVData.java (1)

26-35: Well-structured field declarations.

The use of Testsigma SDK annotations with Lombok @DaTa for test data and runtime data fields is appropriate and follows the framework conventions correctly.

fetchcsvdata_byparticulardata/pom.xml (1)

42-46: Upgrade TestNG to address CVE-2022-4065 (path traversal vulnerability).

TestNG 6.14.3 (released April 2018) contains a confirmed security vulnerability (CVE-2022-4065) in the XML parser affecting the testngXmlExistsInJar function. Upgrade to TestNG 7.5.1 or later to apply the fix.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Use stable JUnit Jupiter release instead of milestone version.

The dependency specifies version 5.8.0-M1 which is a pre-release milestone. Milestone versions are not recommended for production use as they may contain bugs and lack stability guarantees.

#!/bin/bash
# Check latest stable JUnit Jupiter version
curl -s https://repo1.maven.org/maven2/org/junit/jupiter/junit-jupiter-api/maven-metadata.xml | grep -oP '(?<=<latest>)[^<]+' || echo "Could not fetch latest version"

🤖 Prompt for AI Agents

In fetchcsvdata_byparticulardata/pom.xml around lines 36 to 41, the project
pulls JUnit via the junit-jupiter-api dependency which currently resolves to a
milestone pre-release (5.8.0-M1); update the junit.jupiter.version property
(where it’s defined in the POM or parent POM) to a stable non-milestone release
(for example 5.8.2 or the latest stable JUnit Jupiter release from Maven
Central) so the dependency no longer uses a milestone version; keep the scope as
test and ensure the property change is propagated to any other JUnit-related
dependencies.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Jackson 2.13.0 release date vulnerabilities

💡 Result:

• Release date: Jackson 2.13.0 was released on September 30, 2021. [1]

• Notable security items related to 2.13.0:

  • CVE-2020-36518 — nested-object StackOverflow DoS: jackson-databind versions before 2.13.0 are vulnerable; 2.13.0 is the first fixed release. [2]
  • CVE-2021-46877 — JsonNode JDK-serialization high-memory DoS: affects 2.13.0 (fixed in 2.13.1); i.e., 2.13.0 is vulnerable, upgrade to ≥2.13.1. [3]
  • CVE-2025-49128 — information exposure from JsonLocation (reads unintended bytes into exception messages): this issue was silently fixed in jackson-core 2.13.0; upgrade to ≥2.13.0 (or later micro-releases) or disable source-inclusion in exceptions as a mitigation. [4][5]

References

1. Jackson Release 2.13 (FasterXML wiki). [1]
2. CVE-2020-36518 (CVE Details / MITRE summary). [2]
3. CVE-2021-46877 advisory (Seal Security / vulnerability pages). [3]
4. CVE-2025-49128 (GitLab advisory / Snyk security pages). [4][5]

---

🌐 Web query:

Jackson core latest version 2024 2025

💡 Result:

Latest Jackson Core (summary):

• 2024: latest in 2024 was jackson-core 2.18.x (e.g., 2.18.2 released Nov 28, 2024). [1][2]
• 2025: stable releases in 2025 include 2.19.x and 2.20.0 (2.20.0 released Aug 28, 2025); Jackson 3.0.0 GA was released Oct 3, 2025. For the most up-to-date artifact on Maven Central check the Central/GitHub pages. [2][3]

Sources:
[1] GitHub releases listing (jackson-core release history).
[2] FasterXML / jackson GitHub main page (release summary with 2.20.0 and 3.0.0 dates).
[3] Maven / mvnrepository entries for jackson-core.

---

🌐 Web query:

Jackson CVE security vulnerabilities 2.13

💡 Result:

Short summary — Jackson 2.13 series: known/security-impacting CVEs and what to do

1. CVE-2021-46877 — jackson-databind: JsonNode JDK-serialization can trigger huge transient heap usage (DoS). Affects 2.13.0 (fixed in 2.13.1). [1][2]

2. CVE-2025-49128 — jackson-core: JsonLocation._appendSourceDesc could include up to ~500 bytes of unintended memory in exception messages (information disclosure). Affects versions < 2.13.0; fixed in 2.13.0. Mitigations: upgrade to ≥2.13.0 or disable source-in-exceptions / avoid returning parser exception messages to clients. [3][4]

3. Additional DoS / resource-exhaustion issues were reported across the 2.13.x line (examples: vulnerabilities in deserialization of deeply-nested arrays / wrapped values). Several of these required upgrades to 2.13.4.1 / 2.13.4.2 or later. If you are on a 2.13 release older than those fixes, you are likely still vulnerable. [5][6]

Recommended actions (concise)

• If possible, upgrade to a patched release (either the latest 2.13.x patched release or — preferably — the current upstream Jackson stable release). Snyk shows the project’s current latest as 2.20.1; choose a recent, supported version that includes all security fixes. [5]
• If you cannot upgrade immediately: apply mitigations per advisories — disable source-in-exceptions, avoid exposing parser exception messages to clients, and disable risky deserialization features (or restrict allowed types). See the advisories linked below for exact flags and guidance. [3][4]

Sources
[1] Seal Security / GHSA / advisory for CVE-2021-46877.
[2] CVE Details / CVE-2021-46877 entry.
[3] Wiz / GitHub advisory summary for CVE-2025-49128 (fix in 2.13.0).
[4] OpenCVE / CVE-2025-49128 entry.
[5] Snyk jackson-databind vulnerability pages (2.13.3 / 2.13.4 notes and upgrade guidance).
[6] Snyk package summary showing latest version info.

Would you like me to: (A) check your project's current jackson version and list which CVEs affect it, or (B) fetch exact upgrade targets and the minimal 2.13.x patch numbers that close each CVE?

---

Upgrade Jackson annotations to current stable version.

Jackson 2.13.0 (released Sept 30, 2021) contains the known DoS vulnerability CVE-2021-46877, which affects JsonNode JDK-serialization. Additional resource-exhaustion vulnerabilities were reported in the 2.13.x series. Current stable version is 2.20.1 or Jackson 3.0.0 GA (Oct 2025); upgrade to a recent release to ensure the addon is secure for public distribution.

🤖 Prompt for AI Agents

In fetchcsvdata_byparticulardata/pom.xml around lines 59 to 63 the
jackson-annotations dependency is pinned to 2.13.0 which is vulnerable; update
the <version> to a current stable release (for example 2.20.1) or migrate to
Jackson 3.x if compatible, or better yet import the Jackson BOM and align all
jackson modules to the same safe version; after changing the version, run mvn -U
clean verify (and mvn dependency:tree) to ensure there are no conflicting
transitive versions and run tests to confirm compatibility.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: CSV reader uses original URL instead of downloaded file path.

After downloading the file to excelFile (line 51), the code correctly creates a local temp file. However, line 65 still uses the original filePath variable which contains the HTTP URL. This will fail when attempting to read from a URL as a file path.

🔎 Proposed fix

 		} else {
 			excelFile = new File(filePath);
 			logger.info("Inside else");
 			logger.info("Downloaded excel file  at: " + excelFile.getAbsolutePath());
 		}
 
-		try (CSVReader csvReader = new CSVReaderBuilder(new FileReader(filePath)).build()) {
+		try (CSVReader csvReader = new CSVReaderBuilder(new FileReader(excelFile)).build()) {
 			List<String[]> records = csvReader.readAll();

🤖 Prompt for AI Agents

In
fetchcsvdata_byparticulardata/src/main/java/com/testsigma/addons/web/FetchCSVData.java
around lines 43 to 65, the CSVReader is constructed with the original filePath
(which may be an HTTP URL) instead of the local downloaded file (excelFile).
Update the CSVReader construction to use the downloaded file when present (e.g.,
use excelFile.getAbsolutePath() or a FileReader constructed from excelFile) so
the reader opens the local temp file; ensure excelFile is non-null before use
and fall back to the original path only if no download occurred.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add bounds checking and early return after finding target value.

The current implementation has several issues:

1. No bounds checking: Line 72 accesses record[index] without verifying the index is within bounds, risking ArrayIndexOutOfBoundsException.
2. No early termination: After finding a match, the loop continues and may overwrite the runtime variable multiple times if the target appears in multiple cells.
3. Typo in message: Line 77 is missing a space before "store".

🔎 Proposed fix

 		for (String[] record : records) {
 			for (int i = 0; i < record.length; i++) {
 				// Check if the current cell value contains the target value
 				if (record[i].contains(targetCellValue)) {
+					int targetIndex = Integer.parseInt(testData3.getValue().toString());
+					if (targetIndex < 0 || targetIndex >= record.length) {
+						result = com.testsigma.sdk.Result.FAILED;
+						setErrorMessage("Index " + targetIndex + " is out of bounds for row with " + record.length + " columns");
+						return result;
+					}
-					String correspondingCellValue = record[Integer.valueOf(testData3.getValue().toString())];
+					String correspondingCellValue = record[targetIndex];
 
 					runTimeData.setValue(correspondingCellValue);
 					runTimeData.setKey(testData4.getValue().toString());
 					result = com.testsigma.sdk.Result.SUCCESS; 
-					setSuccessMessage("Value fetch from the csv file :" +correspondingCellValue+"store into a variable:"+testData4.getValue().toString());
+					setSuccessMessage("Value fetched from the csv file: " + correspondingCellValue + " stored into variable: " + testData4.getValue().toString());
+					return result;
 				}
 			}
 		}

🤖 Prompt for AI Agents

In
fetchcsvdata_byparticulardata/src/main/java/com/testsigma/addons/web/FetchCSVData.java
around lines 68 to 80, add bounds checking and an early exit when a match is
found: parse testData3.getValue() to an int safely (handle
null/NumberFormatException), verify the index is >= 0 and < record.length before
accessing record[index] to avoid ArrayIndexOutOfBoundsException, and after
setting runTimeData, result and success message (fix spacing in the message:
"... :{value} store into a variable:..."), break out of the loops or return
immediately so the value is not overwritten if multiple matches occur.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Potential resource leak: Temporary file not cleaned up.

The downloadFile method creates a temporary file using File.createTempFile() but never deletes it. This can lead to disk space exhaustion over time, especially if the action is executed frequently.

🔎 Recommended solution

Either mark the temp file for deletion on JVM exit, or better yet, refactor the execute method to clean up the temp file in a finally block:

 	private File downloadFile(String fileUrl) throws IOException {
 		URL url = new URL(fileUrl);
 		String fileName = Paths.get(url.getPath()).getFileName().toString();
 		File tempFile = File.createTempFile("downloaded-", fileName);
+		tempFile.deleteOnExit();
 		try (InputStream in = url.openStream();
 			 OutputStream out = new FileOutputStream(tempFile)) {
 			byte[] buffer = new byte[1024];
 			int bytesRead;
 			while ((bytesRead = in.read(buffer)) != -1) {
 				out.write(buffer, 0, bytesRead);
 			}
 		}
 		return tempFile;
 	}

Alternatively, modify the execute method to explicitly delete the temp file in a finally block for immediate cleanup.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	private File downloadFile(String fileUrl) throws IOException {
	URL url = new URL(fileUrl);
	String fileName = Paths.get(url.getPath()).getFileName().toString();
	File tempFile = File.createTempFile("downloaded-", fileName);
	try (InputStream in = url.openStream();
	OutputStream out = new FileOutputStream(tempFile)) {
	byte[] buffer = new byte[1024];
	int bytesRead;
	while ((bytesRead = in.read(buffer)) != -1) {
	out.write(buffer, 0, bytesRead);
	}
	}
	return tempFile;
	}
	private File downloadFile(String fileUrl) throws IOException {
	URL url = new URL(fileUrl);
	String fileName = Paths.get(url.getPath()).getFileName().toString();
	File tempFile = File.createTempFile("downloaded-", fileName);
	tempFile.deleteOnExit();
	try (InputStream in = url.openStream();
	OutputStream out = new FileOutputStream(tempFile)) {
	byte[] buffer = new byte[1024];
	int bytesRead;
	while ((bytesRead = in.read(buffer)) != -1) {
	out.write(buffer, 0, bytesRead);
	}
	}
	return tempFile;
	}

🤖 Prompt for AI Agents

In
fetchcsvdata_byparticulardata/src/main/java/com/testsigma/addons/web/FetchCSVData.java
around lines 90 to 103, the downloadFile method creates a temporary file with
File.createTempFile(...) but never deletes it, risking disk exhaustion; update
the call-site (execute method) to ensure the returned temp file is deleted in a
finally block (or try-with-resources equivalent) after use, or at minimum call
tempFile.delete() in a finally block, and optionally call
tempFile.deleteOnExit() as a fallback; ensure any exceptions still allow the
cleanup code to run so the temporary file is always removed.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Remove hardcoded JWT token before publishing as public addon.

The JWT token is hardcoded directly in the properties file. Since the PR description states this addon will be published publicly, this exposes authentication credentials that could grant unauthorized access to tenant 2817. Use environment variables or a secure configuration management system instead.

🔎 Recommended approach

Remove the hardcoded token and document that users should set this via environment variable or secure configuration:

-testsigma-sdk.api.key=eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJiODUzOWIxMi0wOWM1LTc0YTktNTZjMy0xMTQxZjFmYjY0M2UiLCJ1bmlxdWVJZCI6IjI4NTMiLCJleHRlcm5hbFRlbmFudElkIjoiMjgxNyJ9.mxBcbkdlDQu7MTfoS7GxBK2SDujcBw07FpZvnEwFLFrT5aJtOQExB3NkMK3vtjsk-UOMB36qgly3lgdLasTRaw
+# testsigma-sdk.api.key should be set via environment variable TESTSIGMA_API_KEY

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	testsigma-sdk.api.key=eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJiODUzOWIxMi0wOWM1LTc0YTktNTZjMy0xMTQxZjFmYjY0M2UiLCJ1bmlxdWVJZCI6IjI4NTMiLCJleHRlcm5hbFRlbmFudElkIjoiMjgxNyJ9.mxBcbkdlDQu7MTfoS7GxBK2SDujcBw07FpZvnEwFLFrT5aJtOQExB3NkMK3vtjsk-UOMB36qgly3lgdLasTRaw
	# testsigma-sdk.api.key should be set via environment variable TESTSIGMA_API_KEY

🤖 Prompt for AI Agents

fetchcsvdata_byparticulardata/src/main/resources/testsigma-sdk.properties lines
1-1: this file contains a hardcoded JWT API key which must be removed; replace
the literal value with a reference to a configuration source (read from an
environment variable or an external secrets/config service), update code that
loads properties to fall back to process.env (or equivalent) and fail with a
clear error if the variable is missing, remove the secret from the repo history
and add a placeholder and documentation in README explaining how to set the
environment variable or secure config before publishing.