导出Excel时屏蔽公式,防止CSV注入风险

This commit is contained in:
RuoYi 2022-01-27 12:04:40 +08:00
parent 35664d818d
commit 8007b22b85
1 changed files with 10 additions and 1 deletions

View File

@ -86,6 +86,9 @@ public class ExcelUtil<T>
{ {
private static final Logger log = LoggerFactory.getLogger(ExcelUtil.class); private static final Logger log = LoggerFactory.getLogger(ExcelUtil.class);
public static final String[] FORMULA_STR = { "=", "-", "+", "@" };
/** /**
* Excel sheet最大行数默认65536 * Excel sheet最大行数默认65536
*/ */
@ -710,7 +713,13 @@ public class ExcelUtil<T>
{ {
if (ColumnType.STRING == attr.cellType()) if (ColumnType.STRING == attr.cellType())
{ {
cell.setCellValue(StringUtils.isNull(value) ? attr.defaultValue() : value + attr.suffix()); String cellValue = Convert.toStr(value);
// 对于任何以表达式触发字符 =-+@开头的单元格直接使用tab字符作为前缀防止CSV注入
if (StringUtils.containsAny(cellValue, FORMULA_STR))
{
cellValue = StringUtils.replaceEach(cellValue, FORMULA_STR, new String[] { "\t=", "\t-", "\t+", "\t@" });
}
cell.setCellValue(StringUtils.isNull(cellValue) ? attr.defaultValue() : cellValue + attr.suffix());
} }
else if (ColumnType.NUMERIC == attr.cellType()) else if (ColumnType.NUMERIC == attr.cellType())
{ {