导出Excel时屏蔽公式，防止CSV注入风险

2022-01-27 12:04:40 +08:00 · 2022-01-27 12:04:40 +08:00 · 8007b22b85
commit 8007b22b85
parent 35664d818d
1 changed files with 10 additions and 1 deletions
--- a/ruoyi-common/src/main/java/com/ruoyi/common/utils/poi/ExcelUtil.java
+++ b/ruoyi-common/src/main/java/com/ruoyi/common/utils/poi/ExcelUtil.java
@ -86,6 +86,9 @@ public class ExcelUtil<T>
 {
    private static final Logger log = LoggerFactory.getLogger(ExcelUtil.class);

+    public static final String[] FORMULA_STR = { "=", "-", "+", "@" };
+
+
    /**
     * Excel sheet最大行数，默认65536
     */
@ -710,7 +713,13 @@ public class ExcelUtil<T>
    {
        if (ColumnType.STRING == attr.cellType())
        {
-            cell.setCellValue(StringUtils.isNull(value) ? attr.defaultValue() : value + attr.suffix());
+            String cellValue = Convert.toStr(value);
+            // 对于任何以表达式触发字符 =-+@开头的单元格，直接使用tab字符作为前缀，防止CSV注入。
+            if (StringUtils.containsAny(cellValue, FORMULA_STR))
+            {
+                cellValue = StringUtils.replaceEach(cellValue, FORMULA_STR, new String[] { "\t=", "\t-", "\t+", "\t@" });
+            }
+            cell.setCellValue(StringUtils.isNull(cellValue) ? attr.defaultValue() : cellValue + attr.suffix());
        }
        else if (ColumnType.NUMERIC == attr.cellType())
        {