From d6a16e9afc0a3b96a56f1a24ed167e1beec6ce2f Mon Sep 17 00:00:00 2001
From: Jie Zheng <201507802@qq.com>
Date: Wed, 15 Jan 2025 09:21:51 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E9=98=B2=E6=AD=A2CSV=E6=B3=A8=E5=85=A5?=
 =?UTF-8?q?=EF=BC=8C=E5=A4=84=E7=90=86=E5=AF=BC=E5=87=BA=E6=95=B0=E6=8D=AE?=
 =?UTF-8?q?=E7=89=B9=E6=AE=8A=E5=AD=97=E7=AC=A6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

close https://github.com/elunez/eladmin/issues/863
---
 .../main/java/me/zhengjie/utils/FileUtil.java | 21 ++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/eladmin-common/src/main/java/me/zhengjie/utils/FileUtil.java b/eladmin-common/src/main/java/me/zhengjie/utils/FileUtil.java
index ca2b674d..1761fc80 100644
--- a/eladmin-common/src/main/java/me/zhengjie/utils/FileUtil.java
+++ b/eladmin-common/src/main/java/me/zhengjie/utils/FileUtil.java
@@ -33,8 +33,10 @@ import java.security.MessageDigest;
 import java.text.DecimalFormat;
 import java.text.SimpleDateFormat;
 import java.util.Date;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.stream.Collectors;
 
 /**
  * File工具类，扩展 hutool 工具包
@@ -213,8 +215,25 @@ public class FileUtil extends cn.hutool.core.io.FileUtil {
         String tempPath = SYS_TEM_DIR + IdUtil.fastSimpleUUID() + ".xlsx";
         File file = new File(tempPath);
         BigExcelWriter writer = ExcelUtil.getBigWriter(file);
+        // 处理数据以防止CSV注入
+        List<Map<String, Object>> sanitizedList = list.parallelStream().map(map -> {
+            Map<String, Object> sanitizedMap = new HashMap<>();
+            map.forEach((key, value) -> {
+                if (value instanceof String) {
+                    String strValue = (String) value;
+                    // 检查并处理以特殊字符开头的值
+                    if (strValue.startsWith("=") || strValue.startsWith("+") || strValue.startsWith("-") || strValue.startsWith("@")) {
+                        strValue = "'" + strValue; // 添加单引号前缀
+                    }
+                    sanitizedMap.put(key, strValue);
+                } else {
+                    sanitizedMap.put(key, value);
+                }
+            });
+            return sanitizedMap;
+        }).collect(Collectors.toList());
         // 一次性写出内容，使用默认样式，强制输出标题
-        writer.write(list, true);
+        writer.write(sanitizedList, true);
         SXSSFSheet sheet = (SXSSFSheet)writer.getSheet();
         //上面需要强转SXSSFSheet  不然没有trackAllColumnsForAutoSizing方法
         sheet.trackAllColumnsForAutoSizing();