admin/madeu_crm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

원복

Browse Source
This commit is contained in:
bd091
2025-12-07 01:20:59 +09:00
parent e564c579d2
commit d49343e216
1 changed files with 15 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
src/main/java/com/madeu/config/WebConfig.java
View File

@@ -1,17 +1,14 @@
package com.madeu.config; package com.madeu.config;
import java.io.IOException;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import org.springframework.beans.factory.annotation.Value; import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.Resource; import org.springframework.core.io.Resource;
import org.springframework.util.StringUtils;
import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry; import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import org.springframework.web.servlet.resource.PathResourceResolver; import org.springframework.web.servlet.resource.PathResourceResolver;
import java.io.IOException;
@Configuration @Configuration
public class WebConfig implements WebMvcConfigurer { public class WebConfig implements WebMvcConfigurer {
@@ -22,72 +19,32 @@ public class WebConfig implements WebMvcConfigurer {
public void addResourceHandlers(ResourceHandlerRegistry registry) { public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("/cdn/**") registry.addResourceHandler("/cdn/**")
.addResourceLocations("file:" + uploadPath + "/") .addResourceLocations("file:" + uploadPath + "/")
.setCachePeriod(3600) .setCachePeriod(3600) // 1시간 캐싱
.resourceChain(true) .resourceChain(true)
.addResolver(new PathResourceResolver() { .addResolver(new PathResourceResolver() {
@Override @Override
protected Resource getResource(String resourcePath, Resource location) throws IOException { protected Resource getResource(String resourcePath, Resource location) throws IOException {
// 1. URL 디코딩 Resource requestedResource = location.createRelative(resourcePath);
String decodedPath = decodeResourcePath(resourcePath);
// 2. 경로 정규화 (보안 검증) // 보안 검증: 허용된 파일 타입만
if (!isValidPath(decodedPath)) { if (requestedResource.exists() && requestedResource.isReadable()
return null; && isAllowedResource(requestedResource)) {
}
// 3. 리소스 찾기
Resource requestedResource = location.createRelative(decodedPath);
// 4. 존재 여부 및 허용된 파일 타입 검증
if (requestedResource.exists() &&
requestedResource.isReadable() &&
isAllowedResource(requestedResource)) {
return requestedResource; return requestedResource;
} }
return null; return null;
} }
private String decodeResourcePath(String path) {
try {
// UTF-8로 URL 디코딩
return URLDecoder.decode(path, StandardCharsets.UTF_8.name());
} catch (Exception e) {
// 디코딩 실패 시 원본 반환
return path;
}
}
private boolean isValidPath(String path) {
// 경로 탐색 공격 방지 (../ 등)
if (path.contains("..") || path.contains("./")) {
return false;
}
// 절대 경로 방지
if (path.startsWith("/") || path.contains(":")) {
return false;
}
return true;
}
private boolean isAllowedResource(Resource resource) { private boolean isAllowedResource(Resource resource) {
try { try {
String filename = resource.getFilename(); String filename = resource.getFilename();
if (!StringUtils.hasText(filename)) { return filename != null &&
return false; (filename.toLowerCase().endsWith(".jpg") ||
} filename.toLowerCase().endsWith(".jpeg") ||
filename.toLowerCase().endsWith(".png") ||
// 허용된 확장자 체크 filename.toLowerCase().endsWith(".gif") ||
String lowerFilename = filename.toLowerCase(); filename.toLowerCase().endsWith(".webp") ||
return lowerFilename.endsWith(".jpg") || filename.toLowerCase().endsWith(".bmp") ||
lowerFilename.endsWith(".jpeg") || filename.toLowerCase().endsWith(".svg"));
lowerFilename.endsWith(".png") ||
lowerFilename.endsWith(".gif") ||
lowerFilename.endsWith(".webp") ||
lowerFilename.endsWith(".bmp") ||
lowerFilename.endsWith(".svg");
} catch (Exception e) { } catch (Exception e) {
return false; return false;
} }