Class CsvSecurity

java.lang.Object
cloud.opencode.base.csv.security.CsvSecurity
public final class CsvSecurity extends Object
CSV Security - Security utilities for CSV processing CSV安全 - CSV处理的安全工具

Provides protection against common CSV security threats including formula injection (CSV injection / DDE attacks) and resource exhaustion via limit validation.

提供针对常见CSV安全威胁的保护,包括公式注入(CSV注入/DDE攻击) 和通过限制验证防止资源耗尽。

Formula Injection | 公式注入:

When CSV files are opened in spreadsheet applications (Excel, LibreOffice Calc), fields starting with certain characters (=, +, -, @, \t, \r) may be interpreted as formulas, leading to code execution.

当CSV文件在电子表格应用程序中打开时,以某些字符开头的字段可能被解释为公式, 导致代码执行。

Usage Examples | 使用示例:

boolean dangerous = CsvSecurity.isFormulaInjection("=SUM(A1:A10)"); // true
String safe = CsvSecurity.sanitize("=cmd|' /C calc'"); // "'=cmd|' /C calc'"
CsvSecurity.validateLimits(config, 100, 10, 256); // no exception

Security | 安全性:

  • Thread-safe: Yes (stateless utility) - 线程安全: 是(无状态工具类)
Since:
JDK 25, opencode-base-csv V1.0.3
Author:
Leon Soo www.LeonSoo.com
See Also:

  • Method Summary

    Modifier and Type
    Method
    Description
    static boolean
    isFormulaInjection(String value)
    Checks if a value starts with a character that could trigger formula injection 检查值是否以可能触发公式注入的字符开头
    static String
    sanitize(String value)
    Sanitizes a value by prepending a single quote if formula injection is detected 如果检测到公式注入,通过在前面添加单引号来净化值
    static void
    validateLimits(CsvConfig config, int rowCount, int columnCount, int fieldSize)
    Validates that the given counts do not exceed the configured limits 验证给定的计数不超过配置的限制

    Methods inherited from class Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Method Details

    • isFormulaInjection

      public static boolean isFormulaInjection(String value)
      Checks if a value starts with a character that could trigger formula injection 检查值是否以可能触发公式注入的字符开头

      Characters checked: =, +, -, @, \t (tab), \r (carriage return).

      检查的字符:=+-@\t(制表符)、\r(回车符)。

      Parameters:
      value - the value to check | 要检查的值
      Returns:
      true if the value could trigger formula injection | 如果值可能触发公式注入返回true

    • sanitize

      public static String sanitize(String value)
      Sanitizes a value by prepending a single quote if formula injection is detected 如果检测到公式注入,通过在前面添加单引号来净化值

      The prepended single quote causes spreadsheet applications to treat the field as a text literal rather than a formula.

      前置的单引号使电子表格应用程序将字段视为文本而非公式。

      Parameters:
      value - the value to sanitize | 要净化的值
      Returns:
      the sanitized value, or the original if no injection detected | 净化后的值,如果未检测到注入则返回原始值

    • validateLimits

      public static void validateLimits(CsvConfig config, int rowCount, int columnCount, int fieldSize)
      Validates that the given counts do not exceed the configured limits 验证给定的计数不超过配置的限制
      Parameters:
      config - the CSV configuration | CSV配置
      rowCount - the number of rows | 行数
      columnCount - the number of columns | 列数
      fieldSize - the field size in characters | 字段大小(字符数)
      Throws:
      OpenCsvException - if any limit is exceeded | 如果超出任何限制