tolag3/mjon_git
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

이지우 - XSS 필터링 처리 : 기존 인터셉터 정규식 수정, 사용자 게시글 상세에 unscript 적용

Browse Source 
인터셉터 정규식. '<' , '>'안에 한글만 입력하도록 처리. smstxt 등 몇몇 파라미터는 필터링 예외
게시글 상세 unscript 적용. 공지사항, 1:1문의, 이벤트 상세 이동시 파라미터의 '<', '>'와 같은 XSS 취약한
단어들은 replaceAll 처리
This commit is contained in:
jiwoo 2023-07-18 14:29:58 +09:00
parent 105898cede
commit 170507f071
2 changed files with 41 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/main/java/itn/com/cmm/interceptor/InterceptorHandler.java
View File

@ -49,12 +49,15 @@ public class InterceptorHandler extends HandlerInterceptorAdapter{
&& !name.toLowerCase().contains("info2list")
&& !name.toLowerCase().contains("info3list")
&& !name.toLowerCase().contains("info4list")
&& !name.toLowerCase().contains("nttcn")
) {
//파라미터 중에 URL 주소를 넘겨주는 부분이 있어서 해당 부분에것 select~, update~, delete~ 시작하는 주소경로가 있어서 제외처리를 하였음
String[] values = request.getParameterValues(name);
//HTML 태그 관련 부분이 들어있으면 필터링 해주는 정규식 <> ~ </> 구문 찾아줌
Pattern regex = Pattern.compile("<(/)?([a-zA-Z]*)(\\\\s[a-zA-Z]*=[^>]*)?(\\\\s)*(/)?>");
//Pattern regex = Pattern.compile("<(/)?([a-zA-Z]*)(\\\\s[a-zA-Z]*=[^>]*)?(\\\\s)*(/)?>");
//23.7.18 이지우 - XSS 필터링을 위한 정규식 수정
Pattern regex = Pattern.compile("<[^ㄱ-ㅎㅏ-ㅣ가-힣<>]+>");
for (String value : values) {
//정규식과 동일한 패턴인지 비교해준다.

38
src/main/java/itn/let/cop/bbs/web/EgovBBSManageController.java
View File

@ -233,7 +233,8 @@ public class EgovBBSManageController {
ret = ret.replaceAll("<(F|f)(O|o)(R|r)(M|m)", "&lt;form");
ret = ret.replaceAll("</(F|f)(O|o)(R|r)(M|m)", "&lt;form");
//ret = ret.replaceAll("<", "&lt;");
ret = ret.replaceAll("<", "&lt;");
ret = ret.replaceAll(">", "&gt;");
ret = ret.replaceAll("alert", "");
//ret = ret.replaceAll("iframe", "");
@ -1815,6 +1816,18 @@ public class EgovBBSManageController {
@RequestParam Map<String, Object> commandMap,
RedirectAttributes redirectAttributes) throws Exception {
//XSS 태그 필터링 처리
boardVO.setBbsId(unscript(boardVO.getBbsId()));
boardVO.setSeCmmnCdId(unscript(boardVO.getSeCmmnCdId()));
boardVO.setFrstRegisterId(unscript(boardVO.getFrstRegisterId()));
boardVO.setSearchBgnDe(unscript(boardVO.getSearchBgnDe()));
boardVO.setSearchEndDe(unscript(boardVO.getSearchEndDe()));
boardVO.setSearchSortCnd(unscript(boardVO.getSearchSortCnd()));
boardVO.setSearchSortOrd(unscript(boardVO.getSearchSortOrd()));
boardVO.setSearchCnd(unscript(boardVO.getSearchCnd()));
boardVO.setSearchWrd(unscript(boardVO.getSearchWrd()));
BoardMasterVO bmVO = new BoardMasterVO();
if("".equals(boardVO.getBbsId())) { //검색에서 조회시 nttid로 마스터 조회
bmVO = bbsAttrbService.selectBbsIdByNttId(boardVO);
@ -1959,6 +1972,17 @@ public class EgovBBSManageController {
@RequestParam Map<String, Object> commandMap,
RedirectAttributes redirectAttributes) throws Exception {
//XSS 태그 필터링 처리
boardVO.setBbsId(unscript(boardVO.getBbsId()));
boardVO.setSeCmmnCdId(unscript(boardVO.getSeCmmnCdId()));
boardVO.setFrstRegisterId(unscript(boardVO.getFrstRegisterId()));
boardVO.setSearchBgnDe(unscript(boardVO.getSearchBgnDe()));
boardVO.setSearchEndDe(unscript(boardVO.getSearchEndDe()));
boardVO.setSearchSortCnd(unscript(boardVO.getSearchSortCnd()));
boardVO.setSearchSortOrd(unscript(boardVO.getSearchSortOrd()));
boardVO.setSearchCnd(unscript(boardVO.getSearchCnd()));
boardVO.setSearchWrd(unscript(boardVO.getSearchWrd()));
BoardMasterVO bmVO = new BoardMasterVO();
//선택된 카테고리가 없는 경우
@ -4432,6 +4456,18 @@ public class EgovBBSManageController {
RedirectAttributes redirectAttributes) throws Exception {
//XSS 태그 필터링 처리
boardVO.setBbsId(unscript(boardVO.getBbsId()));
boardVO.setSeCmmnCdId(unscript(boardVO.getSeCmmnCdId()));
boardVO.setFrstRegisterId(unscript(boardVO.getFrstRegisterId()));
boardVO.setSearchBgnDe(unscript(boardVO.getSearchBgnDe()));
boardVO.setSearchEndDe(unscript(boardVO.getSearchEndDe()));
boardVO.setSearchSortCnd(unscript(boardVO.getSearchSortCnd()));
boardVO.setSearchSortOrd(unscript(boardVO.getSearchSortOrd()));
boardVO.setSearchCnd(unscript(boardVO.getSearchCnd()));
boardVO.setSearchWrd(unscript(boardVO.getSearchWrd()));
BoardMasterVO bmVO = new BoardMasterVO();
if("".equals(boardVO.getBbsId())) { //검색에서 조회시 nttid로 마스터 조회
bmVO = bbsAttrbService.selectBbsIdByNttId(boardVO);