Merge pull request #357 from eGovFramework/contribution

24년 보안패치 merge
eGovFramework · Jul 30, 2024 · e6d6980 · e6d6980
2 parents 39c1df5 + 7645815
commit e6d6980
Show file tree

Hide file tree

Showing 13 changed files with 200 additions and 170 deletions.
diff --git a/.github/ISSUE_TEMPLATE/amendment_request.yml b/.github/ISSUE_TEMPLATE/amendment_request.yml
diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml
@@ -1,5 +1,5 @@
-name: 기능 요구 및 의견 Feature Request
-description: 기능 요구나 기타 의견을 이슈로 등록하는 템플릿입니다. Suggest an idea for improving eGovFrame.
+name: 기능 요구 Feature Request
+description: 기능 요구를 이슈로 등록하는 템플릿입니다. Suggest a new feature for improving eGovFrame.
 title: "[기능요구(Feature)]: "
 labels: ["feature"]
 assignees:

diff --git a/.github/ISSUE_TEMPLATE/improvement_plan.yml b/.github/ISSUE_TEMPLATE/improvement_plan.yml
@@ -0,0 +1,55 @@
+name: 발전 방안 제안 Improvement Plan
+description: 발전 방안을 이슈로 등록하는 템플릿입니다. Suggest a new plan for improving eGovFrame.
+title: "[발전 방안 제안(Improvement Plan)]: "
+labels: ["Improvement"]
+assignees:
+  - yongfire38
+body:
+  - type: markdown
+    attributes:
+      value: |
+        시간을 내어 의견을 작성해 주셔서 감사합니다. Thank you for taking the time to fill out a request.
+  - type: input
+    id: idea-name
+    attributes:
+      label: 아이디어명 Idea Name
+    validations:
+      required: true
+  - type: textarea
+    id: idea-summary
+    attributes:
+      label: 아이디어 요약 Idea Summary
+      description: 과제 내용을 300자 이내로 간결하게 요약 및 정의해 주세요 Please summarize and define your content in 300 characters or less
+      placeholder: 예) 게시판 첨부기능 추가 Example) Adding a bulletin board attachment
+    validations:
+      required: true
+  - type: textarea
+    id: suggestion-background
+    attributes:
+      label: 제안배경 Suggestion Background
+      description: 아이디어를 제안하게 된 배경 및 필요성을 기술해 주세요. Please describe the background and need for the idea.
+      placeholder: 아이디어를 제안하게 된 배경은 다음과 같습니다. The background to suggesting the idea is as follows.
+    validations:
+      required: true
+  - type: textarea
+    id: expectations
+    attributes:
+      label: 기대효과 Expectations
+      description: 아이디어의 실현 가능성과 예상되는 기대효과를 제시하여 주세요. Please describe the expected impact and outcome of the idea.
+      placeholder: 해당 아이디어의 기대효과는 다음과 같습니다. Here are the expected effects of this idea.
+    validations:
+      required: false
+  - type: textarea
+    id: free-writing
+    attributes:
+      label: 자유기술 Free Writing
+      description: 추가 기재하고 싶은 항목 및 내용을 자유롭게 기재하여 주세요. Please feel free to add anything else you'd like to include.
+    validations:
+      required: false
+  - type: textarea
+    id: reference
+    attributes:
+      label: 참고문헌 Reference
+      description: 참고문헌이 있는 경우 작성하여 주세요. If you have references, please include them.
+    validations:
+      required: false
diff --git a/src/main/java/egovframework/com/utl/sys/fsm/service/EgovFileSystemMntrngScheduling.java b/src/main/java/egovframework/com/utl/sys/fsm/service/EgovFileSystemMntrngScheduling.java
@@ -38,7 +38,7 @@
  *  ----------   --------   ---------------------------
  *  2017.03.03 	 조성원 	시큐어코딩(ES)-Null Pointer 역참조[CWE-476]
  *  2022.11.11   김혜준     시큐어코딩 처리
- * 
+ *  2024.05.02   김수용   NSR 보안조치 (파일시스템명에서 악의적인 문자열 제거)
  */
 
 @Service("egovFileSysMntrngScheduling")
@@ -88,7 +88,7 @@ public void monitorFileSys() throws Exception {
 		Iterator<FileSysMntrng> iter = targetList.iterator();
 		FileSysMntrng target = null;
 
-		String fileSysNm = "";
+		String safeFileSysNm = "";
 		int fileSysMg = 0;
 		int fileSysThrhld = 0;
 		int fileSysUsgQty = 0;
@@ -101,11 +101,11 @@ public void monitorFileSys() throws Exception {
 			java.text.SimpleDateFormat formatter = new java.text.SimpleDateFormat("yyyyMMddHHmmss", java.util.Locale.KOREA);
 			target.setCreatDt(formatter.format(new java.util.Date()));
 
-			fileSysNm = target.getFileSysNm();
+			safeFileSysNm = EgovWebUtil.removeCRLF(target.getFileSysNm()).replaceAll("\\|", "").replaceAll("&", "");
 			fileSysThrhld = target.getFileSysThrhld();
 			try{
-				fileSysMg = FileSystemChecker.totalSpaceGb(fileSysNm);
-				fileSysUsgQty = fileSysMg - FileSystemChecker.freeSpaceGb(fileSysNm);
+				fileSysMg = FileSystemChecker.totalSpaceGb(safeFileSysNm);
+				fileSysUsgQty = fileSysMg - FileSystemChecker.freeSpaceGb(safeFileSysNm);
 
 				target.setFileSysMg(fileSysMg);
 				target.setFileSysUsgQty(fileSysUsgQty);

diff --git a/src/main/java/egovframework/com/utl/sys/fsm/web/EgovFileSysMntrngController.java b/src/main/java/egovframework/com/utl/sys/fsm/web/EgovFileSysMntrngController.java
@@ -48,6 +48,7 @@
  *  2010.06.28	장철호		최초 생성
  *  2011.08.26	정진오		IncludedInfo annotation 추가
  *  2023.06.09	김수용		NSR 보안조치 (파일시스템 변수에서 개행문자 제거)
+ *  2024.05.02  김수용        NSR 보안조치 (파일시스템명에서 악의적인 문자열 제거)
  * </pre>
  */
 
@@ -198,6 +199,11 @@ public String updateFileSysMntrng(@ModelAttribute("fileSysMntrngVO") FileSysMntr
 
 		if (isAuthenticated) {
 			fileSysMntrngVO.setLastUpdusrId(user == null ? "" : EgovStringUtil.isNullToString(user.getUniqId()));
+
+			String fileSysNm = fileSysMntrngVO.getFileSysNm();
+			String safeFileSysNm = EgovWebUtil.removeCRLF(fileSysNm).replaceAll("\\|", "").replaceAll("&", "");
+			fileSysMntrngVO.setFileSysNm(safeFileSysNm);
+
 			fileSysMntrngService.updateFileSysMntrng(fileSysMntrngVO);
 		}
 
@@ -234,6 +240,10 @@ public String insertFileSysMntrng(@ModelAttribute("fileSysMntrngVO") FileSysMntr
 		//아이디 설정
 		fileSysMntrngVO.setFrstRegisterId((String) (loginVO == null ? "" : EgovStringUtil.isNullToString(loginVO.getUniqId())));
 		fileSysMntrngVO.setLastUpdusrId((String) (loginVO == null ? "" : EgovStringUtil.isNullToString(loginVO.getUniqId())));
+
+		String fileSysNm = fileSysMntrngVO.getFileSysNm();
+		String safeFileSysNm = EgovWebUtil.removeCRLF(fileSysNm).replaceAll("\\|", "").replaceAll("&", "");
+		fileSysMntrngVO.setFileSysNm(safeFileSysNm);
 
 		fileSysMntrngService.insertFileSysMntrng(fileSysMntrngVO);
 		sLocationUrl = "forward:/utl/sys/fsm/selectFileSysMntrngList.do";

diff --git a/src/main/resources/egovframework/mapper/com/cop/smt/wmr/EgovWikMnthngReprt_SQL_altibase.xml b/src/main/resources/egovframework/mapper/com/cop/smt/wmr/EgovWikMnthngReprt_SQL_altibase.xml
@@ -141,30 +141,30 @@
 		WHERE (A.WRTER_ID = #{searchId} OR A.REPORTR_ID = #{searchId})
 
 
-	 <if test="searchDe.equals('0')">AND
+	 <if test='searchDe.equals("0")'>AND
 		 	A.REPORT_DE BETWEEN #{searchBgnDe} AND #{searchEndDe}		
 	 </if>
-	 <if test="searchDe.equals('1')">AND
+	 <if test='searchDe.equals("1")'>AND
 		 	(A.REPORT_BGNDE BETWEEN #{searchBgnDe} AND #{searchEndDe}		
 		 			OR	A.REPORT_ENDDE BETWEEN #{searchBgnDe} AND #{searchEndDe}	)
 
 	 </if>
-	 <if test="searchCnd.equals('0')">AND
+	 <if test='searchCnd.equals("0")'>AND
 		 	A.REPRT_SJ LIKE '%'||#{searchWrd}||'%' 		
 	 </if>
-	 <if test="searchCnd.equals('1')">AND
+	 <if test='searchCnd.equals("1")'>AND
 		 	B.USER_NM LIKE '%'||#{searchWrd}||'%' 		
 	 </if>
-	 <if test="searchSttus.equals('0')">AND
+	 <if test='searchSttus.equals("0")'>AND
 		 	NVL(A.CONFM_DT, ' ') = ' ' 		
 	 </if>
-	 <if test="searchSttus.equals('1')">AND
+	 <if test='searchSttus.equals("1")'>AND
 		 	NVL(A.CONFM_DT, ' ') != ' ' 		
 	 </if>
-	 <if test="searchSe.equals('1')">AND
+	 <if test='searchSe.equals("1")'>AND
 		 	A.REPRT_SE = '1' 		
 	 </if>
-	 <if test="searchSe.equals('2')">AND
+	 <if test='searchSe.equals("2")'>AND
 		 	A.REPRT_SE = '2' 		
 	 </if>
 
@@ -189,30 +189,30 @@
 		WHERE (A.WRTER_ID = #{searchId} OR A.REPORTR_ID = #{searchId})
 
 
-	 <if test="searchDe.equals('0')">AND
+	 <if test='searchDe.equals("0")'>AND
 		 	A.REPORT_DE BETWEEN #{searchBgnDe} AND #{searchEndDe}		
 	 </if>
-	 <if test="searchDe.equals('1')">AND
+	 <if test='searchDe.equals("1")'>AND
 		 	(A.REPORT_BGNDE BETWEEN #{searchBgnDe} AND #{searchEndDe}		
 		 			OR	A.REPORT_ENDDE BETWEEN #{searchBgnDe} AND #{searchEndDe}	)
 
 	 </if>
-	 <if test="searchCnd.equals('0')">AND
+	 <if test='searchCnd.equals("0")'>AND
 		 	A.REPRT_SJ LIKE '%'||#{searchWrd}||'%' 		
 	 </if>
-	 <if test="searchCnd.equals('1')">AND
+	 <if test='searchCnd.equals("1")'>AND
 		 	B.USER_NM LIKE '%'||#{searchWrd}||'%' 		
 	 </if>
-	 <if test="searchSttus.equals('0')">AND
+	 <if test='searchSttus.equals("0")'>AND
 		 	NVL(A.CONFM_DT, ' ') = ' '  		
 	 </if>
-	 <if test="searchSttus.equals('1')">AND
+	 <if test='searchSttus.equals("1")'>AND
 		 	NVL(A.CONFM_DT, ' ') != ' '  		
 	 </if>
-	 <if test="searchSe.equals('1')">AND
+	 <if test='searchSe.equals("1")'>AND
 		 	A.REPRT_SE = '1' 		
 	 </if>
-	 <if test="searchSe.equals('2')">AND
+	 <if test='searchSe.equals("2")'>AND
 		 	A.REPRT_SE = '2' 		
 	 </if>
 

diff --git a/src/main/resources/egovframework/mapper/com/cop/smt/wmr/EgovWikMnthngReprt_SQL_cubrid.xml b/src/main/resources/egovframework/mapper/com/cop/smt/wmr/EgovWikMnthngReprt_SQL_cubrid.xml
@@ -141,30 +141,30 @@
 		WHERE (A.WRTER_ID = #{searchId} OR A.REPORTR_ID = #{searchId})
 
 
-	 <if test="searchDe.equals('0')">AND
+	 <if test='searchDe.equals("0")'>AND
 		 	A.REPORT_DE BETWEEN #{searchBgnDe} AND #{searchEndDe}		
 	 </if>
-	 <if test="searchDe.equals('1')">AND
+	 <if test='searchDe.equals("1")'>AND
 		 	(A.REPORT_BGNDE BETWEEN #{searchBgnDe} AND #{searchEndDe}		
 		 			OR	A.REPORT_ENDDE BETWEEN #{searchBgnDe} AND #{searchEndDe}	)
 
 	 </if>
-	 <if test="searchCnd.equals('0')">AND
+	 <if test='searchCnd.equals("0")'>AND
 		 	A.REPRT_SJ LIKE '%'||#{searchWrd}||'%' 		
 	 </if>
-	 <if test="searchCnd.equals('1')">AND
+	 <if test='searchCnd.equals("1")'>AND
 		 	B.USER_NM LIKE '%'||#{searchWrd}||'%' 		
 	 </if>
-	 <if test="searchSttus.equals('0')">AND
+	 <if test='searchSttus.equals("0")'>AND
 		 	NVL(A.CONFM_DT, ' ') = ' ' 		
 	 </if>
-	 <if test="searchSttus.equals('1')">AND
+	 <if test='searchSttus.equals("1")'>AND
 		 	NVL(A.CONFM_DT, ' ') != ' ' 		
 	 </if>
-	 <if test="searchSe.equals('1')">AND
+	 <if test='searchSe.equals("1")'>AND
 		 	A.REPRT_SE = '1' 		
 	 </if>
-	 <if test="searchSe.equals('2')">AND
+	 <if test='searchSe.equals("2")'>AND
 		 	A.REPRT_SE = '2' 		
 	 </if>
 
@@ -189,30 +189,30 @@
 		WHERE (A.WRTER_ID = #{searchId} OR A.REPORTR_ID = #{searchId})
 
 
-	 <if test="searchDe.equals('0')">AND
+	 <if test='searchDe.equals("0")'>AND
 		 	A.REPORT_DE BETWEEN #{searchBgnDe} AND #{searchEndDe}		
 	 </if>
-	 <if test="searchDe.equals('1')">AND
+	 <if test='searchDe.equals("1")'>AND
 		 	(A.REPORT_BGNDE BETWEEN #{searchBgnDe} AND #{searchEndDe}		
 		 			OR	A.REPORT_ENDDE BETWEEN #{searchBgnDe} AND #{searchEndDe}	)
 
 	 </if>
-	 <if test="searchCnd.equals('0')">AND
+	 <if test='searchCnd.equals("0")'>AND
 		 	A.REPRT_SJ LIKE '%'||#{searchWrd}||'%' 		
 	 </if>
-	 <if test="searchCnd.equals('1')">AND
+	 <if test='searchCnd.equals("1")'>AND
 		 	B.USER_NM LIKE '%'||#{searchWrd}||'%' 		
 	 </if>
-	 <if test="searchSttus.equals('0')">AND
+	 <if test='searchSttus.equals("0")'>AND
 		 	NVL(A.CONFM_DT, ' ') = ' '  		
 	 </if>
-	 <if test="searchSttus.equals('1')">AND
+	 <if test='searchSttus.equals("1")'>AND
 		 	NVL(A.CONFM_DT, ' ') != ' '  		
 	 </if>
-	 <if test="searchSe.equals('1')">AND
+	 <if test='searchSe.equals("1")'>AND
 		 	A.REPRT_SE = '1' 		
 	 </if>
-	 <if test="searchSe.equals('2')">AND
+	 <if test='searchSe.equals("2")'>AND
 		 	A.REPRT_SE = '2' 		
 	 </if>
 

diff --git a/...main/resources/egovframework/mapper/com/cop/smt/wmr/EgovWikMnthngReprt_SQL_goldilocks.xml b/...main/resources/egovframework/mapper/com/cop/smt/wmr/EgovWikMnthngReprt_SQL_goldilocks.xml
@@ -141,29 +141,29 @@
 		WHERE (A.WRTER_ID = #{searchId} OR A.REPORTR_ID = #{searchId})
 
 
-	 <if test="searchDe.equals('0')">AND
+	 <if test='searchDe.equals("0")'>AND
 		 	A.REPORT_DE BETWEEN #{searchBgnDe} AND #{searchEndDe}		
 	 </if>
-	 <if test="searchDe.equals('1')">AND
+	 <if test='searchDe.equals("1")'>AND
 		 	(A.REPORT_BGNDE BETWEEN #{searchBgnDe} AND #{searchEndDe}		
 		 			OR	A.REPORT_ENDDE BETWEEN #{searchBgnDe} AND #{searchEndDe}	)
 	 </if>
-	 <if test="searchCnd.equals('0')">AND
+	 <if test='searchCnd.equals("0")'>AND
 		 	A.REPRT_SJ LIKE '%'||#{searchWrd}||'%' 		
 	 </if>
-	 <if test="searchCnd.equals('1')">AND
+	 <if test='searchCnd.equals("1")'>AND
 		 	B.USER_NM LIKE '%'||#{searchWrd}||'%' 		
 	 </if>
-	 <if test="searchSttus.equals('0')">AND
+	 <if test='searchSttus.equals("0")'>AND
 		 	NVL(A.CONFM_DT, ' ') = ' ' 		
 	 </if>
-	 <if test="searchSttus.equals('1')">AND
+	 <if test='searchSttus.equals("1")'>AND
 		 	NVL(A.CONFM_DT, ' ') != ' ' 		
 	 </if>
-	 <if test="searchSe.equals('1')">AND
+	 <if test='searchSe.equals("1")'>AND
 		 	A.REPRT_SE = '1' 		
 	 </if>
-	 <if test="searchSe.equals('2')">AND
+	 <if test='searchSe.equals("2")'>AND
 		 	A.REPRT_SE = '2' 		
 	 </if>
 
@@ -188,30 +188,30 @@
 		WHERE (A.WRTER_ID = #{searchId} OR A.REPORTR_ID = #{searchId})
 
 
-	 <if test="searchDe.equals('0')">AND
+	 <if test='searchDe.equals("0")'>AND
 		 	A.REPORT_DE BETWEEN #{searchBgnDe} AND #{searchEndDe}		
 	 </if>
-	 <if test="searchDe.equals('1')">AND
+	 <if test='searchDe.equals("1")'>AND
 		 	(A.REPORT_BGNDE BETWEEN #{searchBgnDe} AND #{searchEndDe}		
 		 			OR	A.REPORT_ENDDE BETWEEN #{searchBgnDe} AND #{searchEndDe}	)
 
 	 </if>
-	 <if test="searchCnd.equals('0')">AND
+	 <if test='searchCnd.equals("0")'>AND
 		 	A.REPRT_SJ LIKE '%'||#{searchWrd}||'%' 		
 	 </if>
-	 <if test="searchDe.equals('1')">AND
+	 <if test='searchDe.equals("1")'>AND
 		 	B.USER_NM LIKE '%'||#{searchWrd}||'%' 		
 	 </if>
-	 <if test="searchSttus.equals('0')">AND
+	 <if test='searchSttus.equals("0")'>AND
 		 	NVL(A.CONFM_DT, ' ') = ' '  		
 	 </if>
-	 <if test="searchSttus.equals('1')">AND
+	 <if test='searchSttus.equals("1")'>AND
 		 	NVL(A.CONFM_DT, ' ') != ' '  		
 	 </if>
-	 <if test="searchSe.equals('1')">AND
+	 <if test='searchSe.equals("1")'>AND
 		 	A.REPRT_SE = '1' 		
 	 </if>
-	 <if test="searchSe.equals('2')">AND
+	 <if test='searchSe.equals("2")'>AND
 		 	A.REPRT_SE = '2' 		
 	 </if>