jiwoo
2023-08-01
이지우 - 취약점 점검 - 사용자 게시글 생성 자동화 방지, java 비밀번호 규칙 검증 추가
@3b0413faebc6fb4bb64eeb8dc40e19f749bf8ec8
--- src/main/java/itn/let/cop/bbs/web/EgovBBSManageController.java
+++ src/main/java/itn/let/cop/bbs/web/EgovBBSManageController.java
... | ... | @@ -73,6 +73,7 @@ |
| 73 | 73 |
import itn.com.cmm.service.EgovFileMngUtil; |
| 74 | 74 |
import itn.com.cmm.service.FileVO; |
| 75 | 75 |
import itn.com.cmm.service.ReadService; |
| 76 |
+import itn.com.cmm.util.EgovDoubleSubmitHelper; |
|
| 76 | 77 |
import itn.com.cmm.util.StringUtil; |
| 77 | 78 |
import itn.com.cmm.util.WebUtil; |
| 78 | 79 |
import itn.com.uss.ion.cnf.service.ProhibitMngService; |
... | ... | @@ -2712,6 +2713,12 @@ |
| 2712 | 2713 |
ModelAndView modelAndView = new ModelAndView(); |
| 2713 | 2714 |
modelAndView.setViewName("jsonView");
|
| 2714 | 2715 |
|
| 2716 |
+ |
|
| 2717 |
+ if (!EgovDoubleSubmitHelper.checkAndSaveToken("someKey", multiRequest)) {
|
|
| 2718 |
+ modelAndView.addObject("message", "너무많은 글쓰기가 시도되었습니다.");
|
|
| 2719 |
+ modelAndView.addObject("result", "fail");
|
|
| 2720 |
+ return modelAndView; |
|
| 2721 |
+ } |
|
| 2715 | 2722 |
// Start => bbsId를 변조해서 공지사항에 글 등록 방지 처리 |
| 2716 | 2723 |
//boardVO.setBbsId("BBSMSTR_000000000651"); // 공지사항
|
| 2717 | 2724 |
List<BoardVO> userBbsWriteList = bbsMngService.selectUserBbsWriteList(boardVO); |
--- src/main/java/itn/let/uat/uia/web/EgovLoginController.java
+++ src/main/java/itn/let/uat/uia/web/EgovLoginController.java
... | ... | @@ -585,6 +585,34 @@ |
| 585 | 585 |
ModelAndView modelAndView = new ModelAndView(); |
| 586 | 586 |
modelAndView.setViewName("jsonView");
|
| 587 | 587 |
|
| 588 |
+ //비밀번호 규칙성 검증 추가 - 취약점 조치 |
|
| 589 |
+ mberManageVO.setPassword(mberManageVO.getPassword().trim()); |
|
| 590 |
+ String passWord = mberManageVO.getPassword(); |
|
| 591 |
+ |
|
| 592 |
+ if(passWord.length() < 8 || passWord.length() > 20) {
|
|
| 593 |
+ modelAndView.addObject("resultSts", "passWordFail");
|
|
| 594 |
+ return modelAndView; |
|
| 595 |
+ } |
|
| 596 |
+ |
|
| 597 |
+ Pattern digitPattern = Pattern.compile("[0-9]");
|
|
| 598 |
+ Matcher digitMatcher = digitPattern.matcher(passWord); |
|
| 599 |
+ boolean hasDigit = digitMatcher.find(); |
|
| 600 |
+ |
|
| 601 |
+ Pattern letterPattern = Pattern.compile("[a-zA-Z]");
|
|
| 602 |
+ Matcher letterMatcher = letterPattern.matcher(passWord); |
|
| 603 |
+ boolean hasLetter = letterMatcher.find(); |
|
| 604 |
+ |
|
| 605 |
+ Pattern specialPattern = Pattern.compile("[`~!@@#$%^&*|\\\\'\";:/?]");
|
|
| 606 |
+ Matcher specialMatcher = specialPattern.matcher(passWord); |
|
| 607 |
+ boolean hasSpecialCharacter = specialMatcher.find(); |
|
| 608 |
+ |
|
| 609 |
+ |
|
| 610 |
+ if(hasDigit == false || hasLetter == false || hasSpecialCharacter == false) {
|
|
| 611 |
+ modelAndView.addObject("resultSts", "passWordFail");
|
|
| 612 |
+ return modelAndView; |
|
| 613 |
+ } |
|
| 614 |
+ |
|
| 615 |
+ |
|
| 588 | 616 |
// 사업자등록증 업로드 |
| 589 | 617 |
List<FileVO> result = null; |
| 590 | 618 |
String wAtchFileId = ""; //사업자등록증 첨부파일 ID |
... | ... | @@ -3205,6 +3233,30 @@ |
| 3205 | 3233 |
|
| 3206 | 3234 |
try {
|
| 3207 | 3235 |
|
| 3236 |
+ //비밀번호 규칙성 검증 추가 - 취약점 조치 |
|
| 3237 |
+ userManageVO.setPassword(userManageVO.getPassword().trim()); |
|
| 3238 |
+ String passWord = userManageVO.getPassword(); |
|
| 3239 |
+ |
|
| 3240 |
+ Pattern digitPattern = Pattern.compile("[0-9]");
|
|
| 3241 |
+ Matcher digitMatcher = digitPattern.matcher(passWord); |
|
| 3242 |
+ boolean hasDigit = digitMatcher.find(); |
|
| 3243 |
+ |
|
| 3244 |
+ Pattern letterPattern = Pattern.compile("[a-zA-Z]");
|
|
| 3245 |
+ Matcher letterMatcher = letterPattern.matcher(passWord); |
|
| 3246 |
+ boolean hasLetter = letterMatcher.find(); |
|
| 3247 |
+ |
|
| 3248 |
+ Pattern specialPattern = Pattern.compile("[`~!@@#$%^&*|\\\\'\";:/?]");
|
|
| 3249 |
+ Matcher specialMatcher = specialPattern.matcher(passWord); |
|
| 3250 |
+ boolean hasSpecialCharacter = specialMatcher.find(); |
|
| 3251 |
+ |
|
| 3252 |
+ |
|
| 3253 |
+ if(hasDigit == false || hasLetter == false || hasSpecialCharacter == false || passWord.length() < 8 || passWord.length() > 20) {
|
|
| 3254 |
+ modelAndView.addObject("pwRuleCheck", false);
|
|
| 3255 |
+ return modelAndView; |
|
| 3256 |
+ }else {
|
|
| 3257 |
+ modelAndView.addObject("pwRuleCheck", true);
|
|
| 3258 |
+ } |
|
| 3259 |
+ |
|
| 3208 | 3260 |
// 해당 정보의 등록 페스워드 조회 |
| 3209 | 3261 |
int pwCheck = mberManageService.selectMberPWOverlapCheck(userManageVO); |
| 3210 | 3262 |
|
--- src/main/java/itn/let/uat/uia/web/EgovMypageController.java
+++ src/main/java/itn/let/uat/uia/web/EgovMypageController.java
... | ... | @@ -1231,6 +1231,28 @@ |
| 1231 | 1231 |
return modelAndView; |
| 1232 | 1232 |
} |
| 1233 | 1233 |
|
| 1234 |
+ //비밀번호 규칙섬 검증 추가 - 취약점 조치 |
|
| 1235 |
+ userManageVO.setPassword(userManageVO.getPassword().trim()); |
|
| 1236 |
+ String passWord = userManageVO.getPassword(); |
|
| 1237 |
+ Pattern digitPattern = Pattern.compile("[0-9]");
|
|
| 1238 |
+ Matcher digitMatcher = digitPattern.matcher(passWord); |
|
| 1239 |
+ boolean hasDigit = digitMatcher.find(); |
|
| 1240 |
+ |
|
| 1241 |
+ Pattern letterPattern = Pattern.compile("[a-zA-Z]");
|
|
| 1242 |
+ Matcher letterMatcher = letterPattern.matcher(passWord); |
|
| 1243 |
+ boolean hasLetter = letterMatcher.find(); |
|
| 1244 |
+ |
|
| 1245 |
+ Pattern specialPattern = Pattern.compile("[`~!@@#$%^&*|\\\\'\";:/?]");
|
|
| 1246 |
+ Matcher specialMatcher = specialPattern.matcher(passWord); |
|
| 1247 |
+ boolean hasSpecialCharacter = specialMatcher.find(); |
|
| 1248 |
+ |
|
| 1249 |
+ if(hasDigit == false || hasLetter == false || hasSpecialCharacter == false || passWord.length() < 8 || passWord.length() > 20) {
|
|
| 1250 |
+ modelAndView.addObject("errType", "04");
|
|
| 1251 |
+ modelAndView.addObject("message", "비밀번호 규칙을 확인해주세요.");
|
|
| 1252 |
+ modelAndView.addObject("result", "fail");
|
|
| 1253 |
+ return modelAndView; |
|
| 1254 |
+ } |
|
| 1255 |
+ |
|
| 1234 | 1256 |
userManageVO.setEmplyrId(loginVO.getId()); |
| 1235 | 1257 |
userManageService.updateUserPWAjax(userManageVO); |
| 1236 | 1258 |
modelAndView.addObject("result", "success");
|
--- src/main/webapp/WEB-INF/jsp/web/cop/bbs/EgovNoticeRegist.jsp
+++ src/main/webapp/WEB-INF/jsp/web/cop/bbs/EgovNoticeRegist.jsp
... | ... | @@ -18,6 +18,7 @@ |
| 18 | 18 |
<%@ taglib prefix="spring" uri="http://www.springframework.org/tags"%> |
| 19 | 19 |
<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form"%> |
| 20 | 20 |
<%@ taglib prefix="validator" uri="http://www.springmodules.org/tags/commons-validator"%> |
| 21 |
+<%@ taglib prefix="double-submit" uri="http://www.egovframe.go.kr/tags/double-submit/jsp" %> |
|
| 21 | 22 |
<% |
| 22 | 23 |
pageContext.setAttribute("crlf", "\r\n");
|
| 23 | 24 |
%> |
... | ... | @@ -74,6 +75,7 @@ |
| 74 | 75 |
<input type="hidden" name="bbsId" value="<c:out value='${searchVO.bbsId}'/>" />
|
| 75 | 76 |
</form:form> |
| 76 | 77 |
<form:form commandName="board" name="board" method="post" enctype="multipart/form-data"> |
| 78 |
+<double-submit:preventer tokenKey="someKey" /> |
|
| 77 | 79 |
<input type="hidden" name="pageIndex" value="<c:out value='${searchVO.pageIndex}'/>" />
|
| 78 | 80 |
<input type="hidden" name="searchCnd" value="<c:out value='${searchVO.searchCnd}'/>"/>
|
| 79 | 81 |
<input type="hidden" name="searchWrd" value="<c:out value='${searchVO.searchWrd}'/>"/>
|
--- src/main/webapp/WEB-INF/jsp/web/login/findUserPwResult.jsp
+++ src/main/webapp/WEB-INF/jsp/web/login/findUserPwResult.jsp
... | ... | @@ -97,6 +97,10 @@ |
| 97 | 97 |
, dataType:'json' |
| 98 | 98 |
, timeout:(1000*30) |
| 99 | 99 |
, success:function(data){
|
| 100 |
+ if(data.pwRuleCheck == false){
|
|
| 101 |
+ alert("비밀번호 규칙을 확인해주세요.");
|
|
| 102 |
+ return; |
|
| 103 |
+ } |
|
| 100 | 104 |
if(data.pwCheck == false ){
|
| 101 | 105 |
alert("사용한 적 있는 비밀번호 입니다. 다른 비밀번호를 입력해주세요.");
|
| 102 | 106 |
return; |
--- src/main/webapp/WEB-INF/jsp/web/login/usrInsertView.jsp
+++ src/main/webapp/WEB-INF/jsp/web/login/usrInsertView.jsp
... | ... | @@ -564,6 +564,10 @@ |
| 564 | 564 |
//저장완료 화면으로 이동하기 |
| 565 | 565 |
fnInsertJoin(); |
| 566 | 566 |
|
| 567 |
+ }else if("passWordFail" == returnData.resultSts){
|
|
| 568 |
+ alert("비밀번호 규칙을 확인해주세요.");
|
|
| 569 |
+ return; |
|
| 570 |
+ |
|
| 567 | 571 |
}else{
|
| 568 | 572 |
|
| 569 | 573 |
alert("회원가입에 실패 하였습니다.");
|
--- src/main/webapp/WEB-INF/jsp/web/user/passwordChange.jsp
+++ src/main/webapp/WEB-INF/jsp/web/user/passwordChange.jsp
... | ... | @@ -186,6 +186,13 @@ |
| 186 | 186 |
$('#newPassword2').val("");
|
| 187 | 187 |
$('#newPassword1').focus();
|
| 188 | 188 |
return; |
| 189 |
+ } |
|
| 190 |
+ |
|
| 191 |
+ if(returnData.errType == "04") {
|
|
| 192 |
+ $('#newPassword1').val("");
|
|
| 193 |
+ $('#newPassword2').val("");
|
|
| 194 |
+ $('#newPassword1').focus();
|
|
| 195 |
+ return; |
|
| 189 | 196 |
} |
| 190 | 197 |
} |
| 191 | 198 |
} |
Add a comment
Delete comment
Once you delete this comment, you won't be able to recover it. Are you sure you want to delete this comment?