Security issues should not be discussed in public. Please read https://www.apache.org/security/
If you do want to report a security issue, follow the guidelines at the security page. We will need a proper POC. The idea that cell values starting with '=' can be a security risk is unproven. If Excel could be fooled into doing something that it shouldn't then that should be reported to Microsoft. On Tuesday 9 May 2023 at 18:21:34 IST, Tobias Fink <[email protected]> wrote: Hi, I see your points, and I solved the problem in my project by creating a static helper method "POIUtils.setCellValue(call, value)". Stackoverflow also didn't come up with any more suitable solution. Still the problem poses a security risk to every implementation of MS-Excel-related POI and, in my opinion, the standard behaviour for a cell with a value that starts with a '=' should be that its automatically quotePrefixed (especially as the possibility explicitly exists to create formular cells). As this change breaks existing behaviour, maybe it'd be good to opt-in/out the feature. I would implement such a change, but I think that my knowledge of POI is not good enough to be able to do so in a satisfying way (regarding the mentioned way to access the "CT" objects of which I'm fully unaware). Please consider my request. If there's a better place to request such a feature (JIRA?) then please tell me and I'll put it there. Thank you and best regards, Tobias Fink Software Development Tel.: +49(0)621 - 520078 - 0 -- Fax: +49(0)621 - 520078 - 20 E-Mail: [email protected] Fasihi GmbH – Ludwig-Reichling-Straße 6 - 67059 Ludwigshafen Geschäftsführer Saeid Fasihi, Rolf Lutzer - Firmensitz Ludwigshafen a. Rh. Amtsgericht Ludwigshafen - HRB 60601 ----------------------------------------------------- Preisträger Großer Preis des Mittelstandes 2014 Innovationspreisträger Rheinland-Pfalz 2011 ----------------------------------------------------- Besuchen Sie uns auch unter Das Digitale Assistenzsystem: https://das-assistenzsystem.de/ Fasihi eXperience Platform: https://fxp.fasihi.net/ Homepage: http://www.fasihi.net Unsere Hinweise zum Datenschutz finden Sie hier: Datenschutzerklärung Fasihi GmbH -----Ursprüngliche Nachricht----- Von: Dominik Stadler <[email protected]> Gesendet: Donnerstag, 4. Mai 2023 20:10 An: POI Developers List <[email protected]> Betreff: Re: Apply "setQuotePrefixed(true)" automatically Hi, I would fully wrap Apache POI in a clean set of interfaces/factories and this way only provide the minimum necessary methods. If you have lots of existing code, maybe you can style it in a similar way to keep required code-changes small. Otherwise there is always a way to access underlying "CT" objects and thus alter content in unpredictable ways. Static code checkers like "forbidden-apis" and custom rules for it can then help to prevent anyone from using the underlying code directly. Regards... Dominik. On Thu, May 4, 2023 at 2:49 PM PJ Fanning <[email protected]> wrote: > Why don't you refactor your code so that there is a method to make one > cell safe? Your XSSF commit code can still call the make one cell safe > method. With SXSSF, you can call that method every time you add a new > cell to an SXSSF row. > > This sort of stuff is better going to stackoverflow btw. There are > many more people on that than there is on this mailing list. > > > > > > > On Thursday 4 May 2023 at 13:14:22 IST, Tobias Fink <[email protected]> > wrote: > > > > > > Hi, > > We have a project with quite a big codebase and I'm looking for a way > to implement a security-feature, where the "setQuotePrefixed(true);" > style-flag is automatically applied to cells with content that starts > with a "=" (as these contents would be interpreted as formulars once > excel is opened and the cell value is changed or pressed enter on unchanged). > We already have a class that produces "clean" instances of > XSSFWorkbook (with some core properties nilled out). There I've > implemented a method to create autofixing workbooks - but this is not > working for streaming workbooks (SXSSFWorkbook), because these are > already streamed out before the "commit" method is called. > > Do you know how I could implement such a behaviour for SXSSFWorkbooks ? > > Thank you and best regards, > > Tobias > > Heres my code for XSSFWorkbooks: > > public static XSSFWorkbook createCleanXSSFWorkbook(InputStream is) > throws IOException { > XSSFWorkbook wb=new XSSFWorkbook(is){ > @Override > protected void commit() throws IOException > { > applySafeCellStyles(this); > super.commit(); > } > }; > cleanXSSFMetaInformation(wb); > return wb; > } > > private static void applySafeCellStyles(Workbook wb) { > int sheets = wb.getNumberOfSheets(); > Map<CellStyle, CellStyle> styleToSafeStyleMap = new > HashMap<>(); > for (int sheetNumber = 0; sheetNumber < sheets; > sheetNumber++) > { > Sheet sheet = wb.getSheetAt(sheetNumber); > for (Row row : sheet) > { > for (Cell cell : row) > { > if > (cell.getCellType() == CellType.STRING) > { > > String cellValue = cell.getStringCellValue(); > > if (cellValue.startsWith("=")) > > { > > CellStyle thisCellStyle = cell.getCellStyle(); > > CellStyle safeCellStyle = > styleToSafeStyleMap.get(thisCellStyle); > > if (safeCellStyle == null) > > { > > safeCellStyle = > wb.createCellStyle(); > > > safeCellStyle.cloneStyleFrom(thisCellStyle); > > > safeCellStyle.setQuotePrefixed(true); > > > styleToSafeStyleMap.put(thisCellStyle, > safeCellStyle); > > } > > > cell.setCellStyle(safeCellStyle); > > } > } > } > } > } > } > > Freundliche Grüße > > Tobias Fink > Software Development > > Tel.: +49(0)621 - 520078 - 0 -- Fax: +49(0)621 - 520078 - 20 > E-Mail: [email protected]<mailto:[email protected]> > > Fasihi GmbH - Ludwig-Reichling-Straße 6 - 67059 Ludwigshafen > Geschäftsführer Saeid Fasihi, Rolf Lutzer - Firmensitz Ludwigshafen a. Rh. > Amtsgericht Ludwigshafen - HRB 60601 > > > ----------------------------------------------------- > Preisträger Großer Preis des Mittelstandes 2014 Innovationspreisträger > Rheinland-Pfalz 2011 > ----------------------------------------------------- > Besuchen Sie uns auch unter > Das Digitale Assistenzsystem: https://das-assistenzsystem.de/ Fasihi > eXperience Platform: https://fxp.fasihi.net/ > Homepage: http://www.fasihi.net<http://www.fasihi.net/> > Unsere Hinweise zum Datenschutz finden Sie hier: Datenschutzerklärung > Fasihi > GmbH<https://fasihi.net/portal/fep/de/dt.jsp?setCursor=1_551471> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] For additional > commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
