diff --git a/pom.xml b/pom.xml index 50f7ffb8..2d5ef13a 100644 --- a/pom.xml +++ b/pom.xml @@ -98,6 +98,13 @@ 2.6.0 + + + org.apache.commons + commons-lang3 + 3.16.0 + + diff --git a/src/main/java/com/interplug/qcast/biz/module/ModuleController.java b/src/main/java/com/interplug/qcast/biz/module/ModuleController.java index b294df95..fec42695 100644 --- a/src/main/java/com/interplug/qcast/biz/module/ModuleController.java +++ b/src/main/java/com/interplug/qcast/biz/module/ModuleController.java @@ -3,22 +3,19 @@ package com.interplug.qcast.biz.module; import com.interplug.qcast.biz.module.dto.ModuleResponse; import java.util.List; import lombok.RequiredArgsConstructor; -import org.springframework.http.ResponseEntity; import org.springframework.web.bind.annotation.*; @RestController @RequestMapping("/api/module") @RequiredArgsConstructor -@CrossOrigin public class ModuleController { private final ModuleService moduleService; // 모듈 조회 @GetMapping("/v1.0/modules/{roofMaterialId}/{trestleId}") - public ResponseEntity> getModulesByRoofMaterialIdAndTrestleId( + public List getModulesByRoofMaterialIdAndTrestleId( @PathVariable("roofMaterialId") Integer roofMaterialId, @PathVariable("trestleId") Integer trestleId) { - return ResponseEntity.ok( - moduleService.getModulesByRoofMaterialIdAndTrestleId(roofMaterialId, trestleId)); + return moduleService.getModulesByRoofMaterialIdAndTrestleId(roofMaterialId, trestleId); } } diff --git a/src/main/java/com/interplug/qcast/biz/roofmaterial/RoofMaterialController.java b/src/main/java/com/interplug/qcast/biz/roofmaterial/RoofMaterialController.java index 0b2e038f..4d14bd1a 100644 --- a/src/main/java/com/interplug/qcast/biz/roofmaterial/RoofMaterialController.java +++ b/src/main/java/com/interplug/qcast/biz/roofmaterial/RoofMaterialController.java @@ -3,21 +3,18 @@ package com.interplug.qcast.biz.roofmaterial; import com.interplug.qcast.biz.roofmaterial.dto.RoofMaterialResponse; import java.util.List; import lombok.RequiredArgsConstructor; -import org.springframework.http.ResponseEntity; -import org.springframework.web.bind.annotation.CrossOrigin; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; @RestController @RequiredArgsConstructor -@CrossOrigin @RequestMapping("/api/roof-material") public class RoofMaterialController { private final RoofMaterialService roofService; @GetMapping("/v1.0/roof-materials") - public ResponseEntity> getRoofs() { - return ResponseEntity.ok(roofService.getRoofMaterials()); + public List getRoofs() { + return roofService.getRoofMaterials(); } } diff --git a/src/main/java/com/interplug/qcast/biz/trestle/TrestleController.java b/src/main/java/com/interplug/qcast/biz/trestle/TrestleController.java index 2b0a12cf..ef10be81 100644 --- a/src/main/java/com/interplug/qcast/biz/trestle/TrestleController.java +++ b/src/main/java/com/interplug/qcast/biz/trestle/TrestleController.java @@ -3,19 +3,16 @@ package com.interplug.qcast.biz.trestle; import com.interplug.qcast.biz.trestle.dto.TrestleResponse; import java.util.List; import lombok.RequiredArgsConstructor; -import org.springframework.http.ResponseEntity; import org.springframework.web.bind.annotation.*; @RestController @RequiredArgsConstructor @RequestMapping("/api/trestle") -@CrossOrigin public class TrestleController { private final TrestleService trestleService; @GetMapping("/v1.0/trestles/{roofMaterialId}") - public ResponseEntity> getTrestlesByRoofMaterialId( - @PathVariable Integer roofMaterialId) { - return ResponseEntity.ok(trestleService.getTrestlesByRoofMaterialId(roofMaterialId)); + public List getTrestlesByRoofMaterialId(@PathVariable Integer roofMaterialId) { + return trestleService.getTrestlesByRoofMaterialId(roofMaterialId); } } diff --git a/src/main/java/com/interplug/qcast/config/json/HtmlCharacterEscapes.java b/src/main/java/com/interplug/qcast/config/json/HtmlCharacterEscapes.java new file mode 100644 index 00000000..3e3ac620 --- /dev/null +++ b/src/main/java/com/interplug/qcast/config/json/HtmlCharacterEscapes.java @@ -0,0 +1,59 @@ +package com.interplug.qcast.config.json; + +import com.fasterxml.jackson.core.SerializableString; +import com.fasterxml.jackson.core.io.CharacterEscapes; +import com.fasterxml.jackson.core.io.SerializedString; +import org.apache.commons.lang3.StringEscapeUtils; + +/** + * 
+ * xss 방어
+ *
+ *
+ * + * @author KimYoungHyun (youngh.kim@kt.com) + */ +public class HtmlCharacterEscapes extends CharacterEscapes { + + private static final long serialVersionUID = 2432838078852295950L; + private final int[] asciiEscapes; + + /** + * xss 방지를 위해 escape 처리 + */ + public HtmlCharacterEscapes() { + asciiEscapes = CharacterEscapes.standardAsciiEscapesForJSON(); + asciiEscapes['<'] = CharacterEscapes.ESCAPE_CUSTOM; + asciiEscapes['>'] = CharacterEscapes.ESCAPE_CUSTOM; + asciiEscapes['&'] = CharacterEscapes.ESCAPE_CUSTOM; + asciiEscapes['\''] = CharacterEscapes.ESCAPE_CUSTOM; + asciiEscapes['\"'] = CharacterEscapes.ESCAPE_CUSTOM; + asciiEscapes['('] = CharacterEscapes.ESCAPE_CUSTOM; + asciiEscapes[')'] = CharacterEscapes.ESCAPE_CUSTOM; + asciiEscapes['#'] = CharacterEscapes.ESCAPE_CUSTOM; + } + + @Override + public int[] getEscapeCodesForAscii() { + return asciiEscapes; + } + + @Override + public SerializableString getEscapeSequence(int ch) { + SerializedString serializedString = null; + char charAt = (char) ch; + + // emoji(Emoticons) character + if (Character.isHighSurrogate(charAt) || Character.isLowSurrogate(charAt)) { + StringBuilder sb = new StringBuilder(); + sb.append("\\u"); + sb.append(String.format("%04x", ch)); + serializedString = new SerializedString(sb.toString()); + } else { + serializedString = new SerializedString(StringEscapeUtils.escapeHtml4(Character.toString(charAt))); + } + + return serializedString; + } + +} diff --git a/src/main/java/com/interplug/qcast/config/security/WebConfig.java b/src/main/java/com/interplug/qcast/config/security/WebConfig.java new file mode 100644 index 00000000..4d2ad7d4 --- /dev/null +++ b/src/main/java/com/interplug/qcast/config/security/WebConfig.java @@ -0,0 +1,46 @@ +package com.interplug.qcast.config.security; + +import com.fasterxml.jackson.databind.ObjectMapper; +import com.interplug.qcast.config.json.HtmlCharacterEscapes; +import lombok.RequiredArgsConstructor; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter; +import org.springframework.web.servlet.config.annotation.CorsRegistry; +import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; + +/** + * 
+ * Web Config
+ *
+ * + * @author jaeyoung_lee (kkang090@gmail.com) + */ +@Configuration +@RequiredArgsConstructor +public class WebConfig implements WebMvcConfigurer { + + private final ObjectMapper objectMapper; + + @Override + public void addCorsMappings(CorsRegistry registry) { + registry.addMapping("/**").allowedOriginPatterns("*").allowCredentials(true).exposedHeaders("Authorization") + .allowedMethods("GET", "PUT", "POST", "PATCH", "DELETE", "OPTIONS"); + } + + /** + * 
+	 * XSS(Cross Site Scripting) converter
+	 *
+ * + * @author KimYoungHyun (youngh.kim@kt.com) + * @return + */ + @Bean + public MappingJackson2HttpMessageConverter jsonEscapeConverter() { + ObjectMapper copy = objectMapper.copy(); + copy.getFactory().setCharacterEscapes(new HtmlCharacterEscapes()); + return new MappingJackson2HttpMessageConverter(copy); + } + +}