Java bean验证正则表达式摆脱CSV注入
[英]Java bean validation Regex to get rid of CSV Injection
问题描述
In our java application, users can export data to excel files which are prone to CSV Injection . 
在我们的Java应用程序中,用户可以将数据导出到易于CSV Injection的 excel文件。 To avoid this vulnerability, I want to restrict the user input such as =HYPERLINK(E3, F3) if any parameter start with following chars: 为避免此漏洞,如果任何参数以以下字符开头,我想限制用户输入,例如= HYPERLINK(E3,F3) :
Equals to ("=")
Plus ("+")
Minus ("-")
At ("@")
I tried some regexes: 我尝试了一些正则表达式:
^[^+=@-]
^((?![+=@-]).)*
But these are not working as expected in bean validation. 但是这些在bean验证中无法按预期工作。
2 个解决方案
解决方案1
0 2018-03-21 18:07:18
You just need to escape the special characters in your regex like this: 您只需要在正则表达式中转义特殊字符,如下所示:
String csvInjectionRegex = "^[^\\+\\=@\\-]";
The following characters are the ones that need to be escaped in a regex: 以下字符是需要在正则表达式中转义的字符:
<([{\\^-=$!|]})?*+.> <([{\\ ^-= $!|]})?* +。>
To escape them you either : 要逃避它们,您可以:
- use the backslash
"\\\\"使用反斜杠"\\\\" or use enclosed each special character in the both
\\Qand\\E.Example:("\\\\Q|\\\\E")或在\\Q和\\E都使用每个特殊字符。例如:(("\\\\Q|\\\\E")If you have any doubts use the Pattern.quote(specialString):
如果您有任何疑问,请使用Pattern.quote(specialString):
String csvInjectionRegex = "^[^"+Pattern.quote("+-=@")+"]";
解决方案2
0 2019-04-08 15:20:13
Try this: 尝试这个:
if (value.matches("^[+=@-].*")) {
//DO M
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.