CSV injection by tinker

[AlastorApps]

Vulnerability summary

The SpendingRepository allows storing unescaped spreadsheet formulas in the description field.
A user with write access to the database (via Tinker, seeder, or direct DB insert) can inject formulas (e.g., =1+1).
Opening these values in a spreadsheet application like Excel can execute the formula.

Steps to reproduce

1. Open Tinker: php artisan tinker
2. Run the following script:

$repo = app(App\Repositories\SpendingRepository::class);

$spending = $repo->create(
    1,          // spaceId
    null,       // recurringId
    null,       // tagId
    date('Y-m-d'), // date
    '=1+1',     // description with payload
    200,        // amount
    null        // importId
);
$spending;