asookaziangmail.com Posted August 13, 2021 Share Posted August 13, 2021 With Jasper Reports library 6.17.0 (latest) it seems there is no way to prevent and/or mitigate potential CSV injection attacks. What is the best practice guidance here regarding CSV injection? Is it supported in 6.x or not? If yes, how to implement/configure? In consideration are formula values (e.g. =HYPERLINK(xxx) or =cmd(xxx)) from database query; we want only these types of values as per a regex pattern to be "deactivated" as formulas when the csv is opened in Excel.The CSV exporter config in SimpleCsvExporterConfiguration for setForceFieldEnclosure does not seem to solve this problem, it simply surrounds all CSV values with a specific character (default is double quote). Link to comment Share on other sites More sharing options...
asookaziangmail.com Posted August 13, 2021 Author Share Posted August 13, 2021 Compare to this convenient/easy solution by SAP reports (by default prepends with space to deactivate all formulas in CSV): https://help.sap.com/viewer/2e167338c1b24da9b2a94e68efd79c42/4.2.6/en-US/dbf05bdcd39f4e96a29e2e12a2bca3f5.html Link to comment Share on other sites More sharing options...
asookaziangmail.com Posted August 13, 2021 Author Share Posted August 13, 2021 I don't see any reference to "formula injection" or "CSV injection" in this official JR server guide: https://community.jaspersoft.com/system/files/restricted-docs/jasperreports-server-security-guide_7.pdf Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now