[英]Java bean validation Regex to get rid of CSV Injection
In our java application, users can export data to excel files which are prone to CSV Injection . 在我们的Java应用程序中,用户可以将数据导出到易于CSV Injection的 excel文件。 To avoid this vulnerability, I want to restrict the user input such as =HYPERLINK(E3, F3) if any parameter start with following chars:
为避免此漏洞,如果任何参数以以下字符开头,我想限制用户输入,例如= HYPERLINK(E3,F3) :
Equals to ("=")
Plus ("+")
Minus ("-")
At ("@")
I tried some regexes: 我尝试了一些正则表达式:
^[^+=@-]
^((?![+=@-]).)*
But these are not working as expected in bean validation. 但是这些在bean验证中无法按预期工作。
You just need to escape the special characters in your regex like this: 您只需要在正则表达式中转义特殊字符,如下所示:
String csvInjectionRegex = "^[^\\+\\=@\\-]";
The following characters are the ones that need to be escaped in a regex: 以下字符是需要在正则表达式中转义的字符:
<([{\\^-=$!|]})?*+.> <([{\\ ^-= $!|]})?* +。>
To escape them you either : 要逃避它们,您可以:
"\\\\"
"\\\\"
or use enclosed each special character in the both \\Q
and \\E
.Example: ("\\\\Q|\\\\E")
或在
\\Q
和\\E
都使用每个特殊字符。例如:( ("\\\\Q|\\\\E")
If you have any doubts use the Pattern.quote(specialString): 如果您有任何疑问,请使用Pattern.quote(specialString):
String csvInjectionRegex = "^[^"+Pattern.quote("+-=@")+"]";
Try this: 尝试这个:
if (value.matches("^[+=@-].*")) {
//DO M
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.