From 3b0413faebc6fb4bb64eeb8dc40e19f749bf8ec8 Mon Sep 17 00:00:00 2001
From: jiwoo <jiwoo@DESKTOP-SIDMR4Q>
Date: Tue, 1 Aug 2023 15:45:04 +0900
Subject: [PATCH] =?UTF-8?q?=EC=9D=B4=EC=A7=80=EC=9A=B0=20-=20=EC=B7=A8?=
 =?UTF-8?q?=EC=95=BD=EC=A0=90=20=EC=A0=90=EA=B2=80=20-=20=EC=82=AC?=
 =?UTF-8?q?=EC=9A=A9=EC=9E=90=20=EA=B2=8C=EC=8B=9C=EA=B8=80=20=EC=83=9D?=
 =?UTF-8?q?=EC=84=B1=20=EC=9E=90=EB=8F=99=ED=99=94=20=EB=B0=A9=EC=A7=80,?=
 =?UTF-8?q?=20java=20=EB=B9=84=EB=B0=80=EB=B2=88=ED=98=B8=20=EA=B7=9C?=
 =?UTF-8?q?=EC=B9=99=20=EA=B2=80=EC=A6=9D=20=EC=B6=94=EA=B0=80?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../cop/bbs/web/EgovBBSManageController.java  |  7 +++
 .../let/uat/uia/web/EgovLoginController.java  | 52 +++++++++++++++++++
 .../let/uat/uia/web/EgovMypageController.java | 22 ++++++++
 .../jsp/web/cop/bbs/EgovNoticeRegist.jsp      |  2 +
 .../jsp/web/login/findUserPwResult.jsp        |  4 ++
 .../WEB-INF/jsp/web/login/usrInsertView.jsp   |  4 ++
 .../WEB-INF/jsp/web/user/passwordChange.jsp   |  7 +++
 7 files changed, 98 insertions(+)

diff --git a/src/main/java/itn/let/cop/bbs/web/EgovBBSManageController.java b/src/main/java/itn/let/cop/bbs/web/EgovBBSManageController.java
index a09f49fc..7b68e99f 100644
--- a/src/main/java/itn/let/cop/bbs/web/EgovBBSManageController.java
+++ b/src/main/java/itn/let/cop/bbs/web/EgovBBSManageController.java
@@ -73,6 +73,7 @@ import itn.com.cmm.service.EgovFileMngService;
 import itn.com.cmm.service.EgovFileMngUtil;
 import itn.com.cmm.service.FileVO;
 import itn.com.cmm.service.ReadService;
+import itn.com.cmm.util.EgovDoubleSubmitHelper;
 import itn.com.cmm.util.StringUtil;
 import itn.com.cmm.util.WebUtil;
 import itn.com.uss.ion.cnf.service.ProhibitMngService;
@@ -2712,6 +2713,12 @@ public class EgovBBSManageController {
 		ModelAndView modelAndView = new ModelAndView();
 		modelAndView.setViewName("jsonView");
 		
+		
+		if (!EgovDoubleSubmitHelper.checkAndSaveToken("someKey", multiRequest)) {  
+			modelAndView.addObject("message", "너무많은 글쓰기가 시도되었습니다.");
+			modelAndView.addObject("result", "fail");
+			return modelAndView;
+		}
 		// Start => bbsId를 변조해서 공지사항에 글 등록 방지 처리
 		//boardVO.setBbsId("BBSMSTR_000000000651");	// 공지사항
 		List<BoardVO> userBbsWriteList = bbsMngService.selectUserBbsWriteList(boardVO);
diff --git a/src/main/java/itn/let/uat/uia/web/EgovLoginController.java b/src/main/java/itn/let/uat/uia/web/EgovLoginController.java
index 0d4b6af4..62f0cf26 100644
--- a/src/main/java/itn/let/uat/uia/web/EgovLoginController.java
+++ b/src/main/java/itn/let/uat/uia/web/EgovLoginController.java
@@ -585,6 +585,34 @@ public class EgovLoginController {
 		ModelAndView modelAndView = new ModelAndView();
 		modelAndView.setViewName("jsonView");
 
+		//비밀번호 규칙성 검증 추가 - 취약점 조치
+		mberManageVO.setPassword(mberManageVO.getPassword().trim());
+		String passWord = mberManageVO.getPassword();
+		
+		if(passWord.length() < 8  || passWord.length() > 20) {
+			modelAndView.addObject("resultSts", "passWordFail");
+			return modelAndView;
+		}
+		
+        Pattern digitPattern = Pattern.compile("[0-9]");
+        Matcher digitMatcher = digitPattern.matcher(passWord);
+        boolean hasDigit = digitMatcher.find();
+
+        Pattern letterPattern = Pattern.compile("[a-zA-Z]");
+        Matcher letterMatcher = letterPattern.matcher(passWord);
+        boolean hasLetter = letterMatcher.find();
+
+        Pattern specialPattern = Pattern.compile("[`~!@@#$%^&*|\\\\'\";:/?]");
+        Matcher specialMatcher = specialPattern.matcher(passWord);
+        boolean hasSpecialCharacter = specialMatcher.find();
+        
+        
+		if(hasDigit == false || hasLetter == false || hasSpecialCharacter == false) {
+			modelAndView.addObject("resultSts", "passWordFail");
+			return modelAndView;
+		}
+		
+		
 		// 사업자등록증 업로드
 		List<FileVO> result = null;
 		String wAtchFileId = ""; //사업자등록증 첨부파일 ID 
@@ -3205,6 +3233,30 @@ public class EgovLoginController {
 
 		try {
 			
+			//비밀번호 규칙성 검증 추가 - 취약점 조치
+			userManageVO.setPassword(userManageVO.getPassword().trim());
+			String passWord = userManageVO.getPassword();
+			
+	        Pattern digitPattern = Pattern.compile("[0-9]");
+	        Matcher digitMatcher = digitPattern.matcher(passWord);
+	        boolean hasDigit = digitMatcher.find();
+
+	        Pattern letterPattern = Pattern.compile("[a-zA-Z]");
+	        Matcher letterMatcher = letterPattern.matcher(passWord);
+	        boolean hasLetter = letterMatcher.find();
+
+	        Pattern specialPattern = Pattern.compile("[`~!@@#$%^&*|\\\\'\";:/?]");
+	        Matcher specialMatcher = specialPattern.matcher(passWord);
+	        boolean hasSpecialCharacter = specialMatcher.find();
+	        
+	        
+			if(hasDigit == false || hasLetter == false || hasSpecialCharacter == false || passWord.length() < 8  || passWord.length() > 20) {
+				modelAndView.addObject("pwRuleCheck", false);
+				return modelAndView;
+			}else {
+				modelAndView.addObject("pwRuleCheck", true);
+			}
+
 			// 해당 정보의 등록 페스워드 조회
 			int pwCheck = mberManageService.selectMberPWOverlapCheck(userManageVO);
 			
diff --git a/src/main/java/itn/let/uat/uia/web/EgovMypageController.java b/src/main/java/itn/let/uat/uia/web/EgovMypageController.java
index cdbf7c72..1407da45 100644
--- a/src/main/java/itn/let/uat/uia/web/EgovMypageController.java
+++ b/src/main/java/itn/let/uat/uia/web/EgovMypageController.java
@@ -1231,6 +1231,28 @@ public class EgovMypageController {
 				return modelAndView;
 			}
 			
+			//비밀번호 규칙섬 검증 추가 - 취약점 조치
+			userManageVO.setPassword(userManageVO.getPassword().trim());
+			String passWord = userManageVO.getPassword();
+	        Pattern digitPattern = Pattern.compile("[0-9]");
+	        Matcher digitMatcher = digitPattern.matcher(passWord);
+	        boolean hasDigit = digitMatcher.find();
+
+	        Pattern letterPattern = Pattern.compile("[a-zA-Z]");
+	        Matcher letterMatcher = letterPattern.matcher(passWord);
+	        boolean hasLetter = letterMatcher.find();
+
+	        Pattern specialPattern = Pattern.compile("[`~!@@#$%^&*|\\\\'\";:/?]");
+	        Matcher specialMatcher = specialPattern.matcher(passWord);
+	        boolean hasSpecialCharacter = specialMatcher.find();
+			
+	        if(hasDigit == false || hasLetter == false || hasSpecialCharacter == false || passWord.length() < 8  || passWord.length() > 20) {
+				modelAndView.addObject("errType", "04");
+				modelAndView.addObject("message", "비밀번호 규칙을 확인해주세요.");
+				modelAndView.addObject("result", "fail");
+				return modelAndView;
+	        }
+			
 			userManageVO.setEmplyrId(loginVO.getId());
 			userManageService.updateUserPWAjax(userManageVO);
 			modelAndView.addObject("result", "success");
diff --git a/src/main/webapp/WEB-INF/jsp/web/cop/bbs/EgovNoticeRegist.jsp b/src/main/webapp/WEB-INF/jsp/web/cop/bbs/EgovNoticeRegist.jsp
index 60ab3028..0aa597c3 100644
--- a/src/main/webapp/WEB-INF/jsp/web/cop/bbs/EgovNoticeRegist.jsp
+++ b/src/main/webapp/WEB-INF/jsp/web/cop/bbs/EgovNoticeRegist.jsp
@@ -18,6 +18,7 @@
 <%@ taglib prefix="spring" uri="http://www.springframework.org/tags"%>
 <%@ taglib prefix="form" uri="http://www.springframework.org/tags/form"%>
 <%@ taglib prefix="validator" uri="http://www.springmodules.org/tags/commons-validator"%>
+<%@ taglib prefix="double-submit" uri="http://www.egovframe.go.kr/tags/double-submit/jsp" %>
 <%
 	pageContext.setAttribute("crlf", "\r\n");
 %>
@@ -74,6 +75,7 @@
 <input type="hidden" name="bbsId" value="<c:out value='${searchVO.bbsId}'/>" />
 </form:form>                
 <form:form commandName="board" name="board" method="post" enctype="multipart/form-data">
+<double-submit:preventer tokenKey="someKey" />
 <input type="hidden" name="pageIndex" value="<c:out value='${searchVO.pageIndex}'/>" />
 <input type="hidden" name="searchCnd" value="<c:out value='${searchVO.searchCnd}'/>"/>
 <input type="hidden" name="searchWrd" value="<c:out value='${searchVO.searchWrd}'/>"/>
diff --git a/src/main/webapp/WEB-INF/jsp/web/login/findUserPwResult.jsp b/src/main/webapp/WEB-INF/jsp/web/login/findUserPwResult.jsp
index d6b43f0f..e401e2e9 100644
--- a/src/main/webapp/WEB-INF/jsp/web/login/findUserPwResult.jsp
+++ b/src/main/webapp/WEB-INF/jsp/web/login/findUserPwResult.jsp
@@ -97,6 +97,10 @@ function selectUserPW(){
 		, dataType:'json'
 		, timeout:(1000*30)
 		, success:function(data){
+			if(data.pwRuleCheck == false){
+				alert("비밀번호 규칙을 확인해주세요.");
+				return;
+			}
 			if(data.pwCheck == false ){
 				alert("사용한 적 있는 비밀번호 입니다. 다른 비밀번호를 입력해주세요.");
 				return;
diff --git a/src/main/webapp/WEB-INF/jsp/web/login/usrInsertView.jsp b/src/main/webapp/WEB-INF/jsp/web/login/usrInsertView.jsp
index 8be6416e..1be8a689 100644
--- a/src/main/webapp/WEB-INF/jsp/web/login/usrInsertView.jsp
+++ b/src/main/webapp/WEB-INF/jsp/web/login/usrInsertView.jsp
@@ -564,6 +564,10 @@ var blineCode = '${blineCode}';
 						//저장완료 화면으로 이동하기
 						fnInsertJoin();
 						
+					}else if("passWordFail" == returnData.resultSts){
+						alert("비밀번호 규칙을 확인해주세요.");
+						return;
+						
 					}else{
 						
 						alert("회원가입에 실패 하였습니다.");	
diff --git a/src/main/webapp/WEB-INF/jsp/web/user/passwordChange.jsp b/src/main/webapp/WEB-INF/jsp/web/user/passwordChange.jsp
index 128e9255..f06a14cc 100644
--- a/src/main/webapp/WEB-INF/jsp/web/user/passwordChange.jsp
+++ b/src/main/webapp/WEB-INF/jsp/web/user/passwordChange.jsp
@@ -186,6 +186,13 @@ function insertPw(){
 					$('#newPassword2').val("");
 					$('#newPassword1').focus();
 					return;	
+				}		
+				
+				if(returnData.errType == "04") {
+					$('#newPassword1').val("");
+					$('#newPassword2').val("");
+					$('#newPassword1').focus();
+					return;	
 				}				
 			}
 		}