🔒️ 행안부 프리셋 보안 점검 1차 점검

2021-11-08 17:06:02 +09:00
parent 1e04bb0289
commit f974a0d496
17 changed files with 55 additions and 70 deletions
--- a/backend/board-service/src/main/java/org/egovframe/cloud/boardservice/api/board/dto/BoardResponseDto.java
+++ b/backend/board-service/src/main/java/org/egovframe/cloud/boardservice/api/board/dto/BoardResponseDto.java
@@ -8,6 +8,7 @@ import org.egovframe.cloud.boardservice.domain.board.Board;
 import java.io.Serializable;
 import java.math.BigDecimal;
 import java.util.ArrayList;
 import java.util.List;
 /**
@@ -193,7 +194,7 @@ public class BoardResponseDto implements Serializable {
     * @param posts 게시물 목록
     */
    public void setNewestPosts(List<PostsSimpleResponseDto> posts) {
-        this.posts = posts;
+        this.posts = new ArrayList<>(posts);
    }
 }
--- a/backend/board-service/src/main/java/org/egovframe/cloud/boardservice/api/posts/dto/PostsResponseDto.java
+++ b/backend/board-service/src/main/java/org/egovframe/cloud/boardservice/api/posts/dto/PostsResponseDto.java
@@ -8,6 +8,7 @@ import org.egovframe.cloud.boardservice.domain.posts.Posts;
 import java.io.Serializable;
 import java.time.LocalDateTime;
 import java.util.ArrayList;
 import java.util.List;
 /**
@@ -202,14 +203,14 @@ public class PostsResponseDto implements Serializable {
     * 이전 게시물
     */
    public void setPrevPosts(List<PostsSimpleResponseDto> prevPosts) {
-        this.prevPosts = prevPosts;
+        this.prevPosts = new ArrayList<>(prevPosts);
    }
    /**
     * 다음 게시물
     */
    public void setNextPosts(List<PostsSimpleResponseDto> nextPosts) {
-        this.nextPosts = nextPosts;
+        this.nextPosts = new ArrayList<>(nextPosts);
    }
 }
--- a/backend/board-service/src/main/java/org/egovframe/cloud/boardservice/domain/posts/Posts.java
+++ b/backend/board-service/src/main/java/org/egovframe/cloud/boardservice/domain/posts/Posts.java
@@ -13,6 +13,7 @@ import org.hibernate.annotations.OnDelete;
 import org.hibernate.annotations.OnDeleteAction;
 import javax.persistence.*;
 import java.util.ArrayList;
 import java.util.List;
 /**
@@ -137,7 +138,7 @@ public class Posts extends BaseEntity {
        this.noticeAt = noticeAt;
        this.deleteAt = deleteAt;
        this.creator = creator;
-        this.comments = comments;
+        this.comments = new ArrayList<>(comments);
    }
    /**
--- a/backend/board-service/src/main/java/org/egovframe/cloud/boardservice/service/board/BoardService.java
+++ b/backend/board-service/src/main/java/org/egovframe/cloud/boardservice/service/board/BoardService.java
@@ -128,7 +128,7 @@ public class BoardService extends AbstractService {
     * @param boardNo 게시판 번호
     * @return Board 게시판 엔티티
     */
-    private Board findBoard(Integer boardNo) {
+    private Board findBoard(Integer boardNo) throws EntityNotFoundException {
        return boardRepository.findById(boardNo)
                .orElseThrow(() -> new EntityNotFoundException(getMessage("valid.notexists.format", new Object[]{getMessage("board")})));
    }
--- a/backend/board-service/src/main/java/org/egovframe/cloud/boardservice/service/comment/CommentService.java
+++ b/backend/board-service/src/main/java/org/egovframe/cloud/boardservice/service/comment/CommentService.java
@@ -125,7 +125,7 @@ public class CommentService extends AbstractService {
     * @param requestDto 댓글 등록 요청 DTO
     */
    @Transactional
-    public CommentResponseDto save(CommentSaveRequestDto requestDto) {
+    public CommentResponseDto save(CommentSaveRequestDto requestDto) throws InvalidValueException {
        if (requestDto.getBoardNo() == null || requestDto.getPostsNo() == null) {
            throw new InvalidValueException(getMessage("err.invalid.input.value"));
        }
@@ -225,7 +225,7 @@ public class CommentService extends AbstractService {
     * @param commentNo 댓글 번호
     * @return Comment 댓글 엔티티
     */
-    private Comment findComment(Integer boardNo, Integer postsNo, Integer commentNo) {
+    private Comment findComment(Integer boardNo, Integer postsNo, Integer commentNo) throws InvalidValueException {
        if (boardNo == null || postsNo == null || commentNo == null) {
            throw new InvalidValueException(getMessage("err.invalid.input.value"));
        }
@@ -252,7 +252,7 @@ public class CommentService extends AbstractService {
     * @param userId    사용자 id
     * @return Comment 댓글 엔티티
     */
-    private Comment findCommentByCreatedBy(Integer boardNo, Integer postsNo, Integer commentNo, String userId) {
+    private Comment findCommentByCreatedBy(Integer boardNo, Integer postsNo, Integer commentNo, String userId) throws BusinessMessageException {
        if (userId == null) {
            throw new BusinessMessageException(getMessage("err.required.login")); // 로그인 후 다시 시도해주세요.
        }
@@ -272,7 +272,7 @@ public class CommentService extends AbstractService {
     *
     * @param posts 게시물 엔티티
     */
-    private void checkEditableComment(Posts posts) {
+    private void checkEditableComment(Posts posts) throws EntityNotFoundException, BusinessMessageException {
        Board board = posts.getBoard();
        if (board == null) {
            throw new EntityNotFoundException(getMessage("valid.notexists.format", new Object[]{getMessage("board")})); // 게시판이(가) 없습니다.
--- a/backend/board-service/src/main/java/org/egovframe/cloud/boardservice/service/posts/PostsService.java
+++ b/backend/board-service/src/main/java/org/egovframe/cloud/boardservice/service/posts/PostsService.java
@@ -86,7 +86,7 @@ public class PostsService extends AbstractService {
     * @param postsCount 게시물 수
     * @return Map<Integer, BoardResponseDto> 최근 게시물이 포함된 게시판 상세 응답 DTO Map
     */
-    public Map<Integer, BoardResponseDto> findNewest(List<Integer> boardNos, Integer postsCount) {
+    public Map<Integer, BoardResponseDto> findNewest(List<Integer> boardNos, Integer postsCount) throws InvalidValueException {
        if (boardNos == null || boardNos.isEmpty())
            throw new InvalidValueException(getMessage("err.invalid.input.value"));
@@ -133,7 +133,7 @@ public class PostsService extends AbstractService {
     * @return PostsResponseDto 게시물 응답 DTO
     */
    @Transactional
-    public PostsResponseDto findById(Integer boardNo, Integer postsNo, Integer deleteAt, String userId, String ipAddr, RequestDto requestDto) {
+    public PostsResponseDto findById(Integer boardNo, Integer postsNo, Integer deleteAt, String userId, String ipAddr, RequestDto requestDto) throws EntityNotFoundException, BusinessMessageException {
        PostsResponseDto dto = postsRepository.findById(boardNo, postsNo, userId, ipAddr);
        if (dto == null) {
--- a/backend/portal-service/src/main/java/org/egovframe/cloud/portalservice/api/attachment/dto/AttachmentImageResponseDto.java
+++ b/backend/portal-service/src/main/java/org/egovframe/cloud/portalservice/api/attachment/dto/AttachmentImageResponseDto.java
@@ -31,6 +31,9 @@ public class AttachmentImageResponseDto {
    @Builder
    public AttachmentImageResponseDto(String mimeType, byte[] data) {
        this.mimeType = mimeType;
-        this.data = data;
+        this.data = new byte[data.length];
        for (int i = 0; i < data.length; i++) {
            this.data[i] = data[i];
        }
    }
 }
--- a/backend/portal-service/src/main/java/org/egovframe/cloud/portalservice/api/menu/dto/MenuDnDRequestDto.java
+++ b/backend/portal-service/src/main/java/org/egovframe/cloud/portalservice/api/menu/dto/MenuDnDRequestDto.java
@@ -48,6 +48,6 @@ public class MenuDnDRequestDto {
        this.parentId = parentId;
        this.level = level;
        this.icon = icon;
-        this.children = children;
+        this.children = new ArrayList<>(children);
    }
 }
--- a/backend/portal-service/src/main/java/org/egovframe/cloud/portalservice/api/menu/dto/MenuRoleRequestDto.java
+++ b/backend/portal-service/src/main/java/org/egovframe/cloud/portalservice/api/menu/dto/MenuRoleRequestDto.java
@@ -6,6 +6,7 @@ import lombok.Getter;
 import lombok.NoArgsConstructor;
 import lombok.ToString;
 import java.util.ArrayList;
 import java.util.List;
 /**
@@ -53,6 +54,6 @@ public class MenuRoleRequestDto {
        this.sortSeq = sortSeq;
        this.icon = icon;
        this.level = level;
-        this.children = children;
+        this.children = new ArrayList<>(children);
    }
 }
--- a/backend/portal-service/src/main/java/org/egovframe/cloud/portalservice/config/MessageSourceFiles.java
+++ b/backend/portal-service/src/main/java/org/egovframe/cloud/portalservice/config/MessageSourceFiles.java
@@ -74,7 +74,7 @@ public class MessageSourceFiles {
        try {
            Files.createDirectory(Paths.get(fileMessagesDirectory).toAbsolutePath().normalize());
        } catch (FileAlreadyExistsException e) {
-            log.info("메시지 폴더 경로에 파일이나 디렉토리가 이미 존재, {}", e.getMessage());
+            log.error("메시지 폴더 경로에 파일이나 디렉토리가 이미 존재", e);
        } catch (IOException e) {
            log.error("메시지 폴더 생성 오류", e);
        }
@@ -102,7 +102,7 @@ public class MessageSourceFiles {
            try (FileOutputStream out = new FileOutputStream(propFile)) {
                prop.store(out, "messages");
            } catch (IOException e) {
-                log.error("Messages FileOutputStream IOException = {}, {}", e.getMessage(), e.getCause());
+                log.error("Messages FileOutputStream IOException", e);
            }
            // files
--- a/backend/portal-service/src/main/java/org/egovframe/cloud/portalservice/service/attachment/AttachmentService.java
+++ b/backend/portal-service/src/main/java/org/egovframe/cloud/portalservice/service/attachment/AttachmentService.java
@@ -113,7 +113,7 @@ public class AttachmentService extends AbstractService {
     * @param editorRequestDto
     * @return
     */
-    public AttachmentEditorResponseDto uploadEditor(AttachmentBase64RequestDto editorRequestDto) {
+    public AttachmentEditorResponseDto uploadEditor(AttachmentBase64RequestDto editorRequestDto) throws BusinessMessageException {
        String fileBase64 = editorRequestDto.getFileBase64();
        if (fileBase64 == null || fileBase64.equals("")) {
@@ -158,7 +158,7 @@ public class AttachmentService extends AbstractService {
     * @return
     */
    @Transactional(readOnly = true)
-    public AttachmentImageResponseDto loadImageByUniqueId(String uniqueId) {
+    public AttachmentImageResponseDto loadImageByUniqueId(String uniqueId) throws EntityNotFoundException {
        Attachment attachment = attachmentRepository.findAllByUniqueId(uniqueId)
                // 파일을 찾을 수 없습니다.
                .orElseThrow(() -> new EntityNotFoundException(getMessage("valid.file.not_found") + " ID= " + uniqueId));
@@ -172,7 +172,7 @@ public class AttachmentService extends AbstractService {
     * @param uniqueId
     * @return
     */
-    public AttachmentDownloadResponseDto downloadFile(String uniqueId) {
+    public AttachmentDownloadResponseDto downloadFile(String uniqueId) throws EntityNotFoundException, BusinessMessageException {
        Attachment attachment = attachmentRepository.findAllByUniqueId(uniqueId)
                // 파일을 찾을 수 없습니다.
                .orElseThrow(() -> new EntityNotFoundException(getMessage("valid.file.not_found") + " ID= " + uniqueId));
@@ -212,7 +212,7 @@ public class AttachmentService extends AbstractService {
     * @param uniqueId
     * @return
     */
-    public AttachmentDownloadResponseDto downloadAttachment(String uniqueId) {
+    public AttachmentDownloadResponseDto downloadAttachment(String uniqueId) throws EntityNotFoundException {
        Attachment attachment = attachmentRepository.findAllByUniqueId(uniqueId)
                // 파일을 찾을 수 없습니다.
                .orElseThrow(() -> new EntityNotFoundException(getMessage("valid.file.not_found") + " ID= " + uniqueId));
@@ -272,7 +272,7 @@ public class AttachmentService extends AbstractService {
     * @param saveRequestDtoList
     * @return
     */
-    public String saveByCode(String attachmentCode, List<AttachmentTempSaveRequestDto> saveRequestDtoList) {
+    public String saveByCode(String attachmentCode, List<AttachmentTempSaveRequestDto> saveRequestDtoList) throws EntityNotFoundException {
        for (AttachmentTempSaveRequestDto saveRequestDto : saveRequestDtoList) {
            // 사용자 삭제인 경우 삭제여부 Y
            if (saveRequestDto.isDelete()) {
@@ -322,7 +322,7 @@ public class AttachmentService extends AbstractService {
     * @param isDelete
     * @return
     */
-    public String toggleDelete(String uniqueId, boolean isDelete) {
+    public String toggleDelete(String uniqueId, boolean isDelete) throws EntityNotFoundException {
        Attachment attachment = attachmentRepository.findAllByUniqueId(uniqueId)
                // 파일을 찾을 수 없습니다.
                .orElseThrow(() -> new EntityNotFoundException(getMessage("valid.file.not_found") + " ID= " + uniqueId));
@@ -336,7 +336,7 @@ public class AttachmentService extends AbstractService {
     *
     * @param uniqueId
     */
-    public void delete(String uniqueId) {
+    public void delete(String uniqueId) throws EntityNotFoundException {
        Attachment attachment = attachmentRepository.findAllByUniqueId(uniqueId)
                // 파일을 찾을 수 없습니다.
                .orElseThrow(() -> new EntityNotFoundException(getMessage("valid.file.not_found") + " ID= " + uniqueId));
@@ -400,7 +400,7 @@ public class AttachmentService extends AbstractService {
    public String uploadAndUpdate(List<MultipartFile> files,
                                  String attachmentCode,
                                  AttachmentUploadRequestDto uploadRequestDto,
-                                  List<AttachmentUpdateRequestDto> updateRequestDtoList) {
+                                  List<AttachmentUpdateRequestDto> updateRequestDtoList) throws EntityNotFoundException {
        String basePath = LocalDateTime.now().format(DateTimeFormatter.ofPattern("yyyyMM"));
        // 기존 파일 삭제 처리
@@ -466,7 +466,7 @@ public class AttachmentService extends AbstractService {
     *
     * @param attachmentCode
     */
-    public void deleteAllEmptyEntity(String attachmentCode) {
+    public void deleteAllEmptyEntity(String attachmentCode) throws EntityNotFoundException, BusinessMessageException {
        List<Attachment> attachmentList = attachmentRepository.findByCode(attachmentCode);
        if (attachmentList == null || attachmentList.size() <= 0) {
--- a/backend/portal-service/src/main/java/org/egovframe/cloud/portalservice/service/code/CodeService.java
+++ b/backend/portal-service/src/main/java/org/egovframe/cloud/portalservice/service/code/CodeService.java
@@ -46,7 +46,7 @@ public class CodeService extends AbstractService {
     * @param codeId
     * @return
     */
-    public CodeResponseDto findByCodeId(String codeId) {
+    public CodeResponseDto findByCodeId(String codeId) throws EntityNotFoundException {
        Code code = codeRepository.findByCodeId(codeId)
                .orElseThrow(() -> new EntityNotFoundException("해당 데이터가 존재하지 않습니다. ID =" + codeId));
        return new CodeResponseDto(code);
@@ -59,7 +59,7 @@ public class CodeService extends AbstractService {
     * @return
     */
    @Transactional
-    public String save(CodeSaveRequestDto saveRequestDto) {
+    public String save(CodeSaveRequestDto saveRequestDto) throws BusinessException {
        Optional<Code> byCodeId = codeRepository.findByCodeId(saveRequestDto.getCodeId());
        if (byCodeId.isPresent()) {
            throw new BusinessException("코드ID 중복 : " + byCodeId, ErrorCode.DUPLICATE_INPUT_INVALID);
@@ -75,7 +75,7 @@ public class CodeService extends AbstractService {
     * @return
     */
    @Transactional
-    public String update(String codeId, CodeUpdateRequestDto requestDto) {
+    public String update(String codeId, CodeUpdateRequestDto requestDto) throws EntityNotFoundException {
        Code code = codeRepository.findByCodeId(codeId)
                .orElseThrow(() -> new EntityNotFoundException("해당 데이터가 존재하지 않습니다. ID =" + codeId));
@@ -90,7 +90,7 @@ public class CodeService extends AbstractService {
     * @param codeId
     */
    @Transactional
-    public void delete(String codeId) {
+    public void delete(String codeId) throws BusinessMessageException {
        Code code = codeRepository.findByCodeId(codeId)
                .orElseThrow(() -> new EntityNotFoundException("해당 데이터가 존재하지 않습니다. ID =" + codeId));
@@ -111,7 +111,7 @@ public class CodeService extends AbstractService {
     * @return
     */
    @Transactional
-    public String updateUseAt(String codeId, boolean useAt) {
+    public String updateUseAt(String codeId, boolean useAt) throws EntityNotFoundException {
        Code code = codeRepository.findByCodeId(codeId)
                .orElseThrow(() -> new EntityNotFoundException("해당 데이터가 존재하지 않습니다. ID =" + codeId));
--- a/backend/portal-service/src/main/java/org/egovframe/cloud/portalservice/utils/FileStorageUtils.java
+++ b/backend/portal-service/src/main/java/org/egovframe/cloud/portalservice/utils/FileStorageUtils.java
@@ -149,9 +149,9 @@ public class FileStorageUtils implements StorageUtils {
            Base64.Decoder decoder = Base64.getDecoder();
            byte[] decodeBytes = decoder.decode(requestDto.getFileBase64().getBytes());
-            FileOutputStream outputStream = new FileOutputStream(file);
+            try (FileOutputStream outputStream = new FileOutputStream(file)) {
-            outputStream.write(decodeBytes);
+                outputStream.write(decodeBytes);
-            outputStream.close();
+            }
            return filename;
@@ -285,20 +285,20 @@ public class FileStorageUtils implements StorageUtils {
    public AttachmentImageResponseDto loadImage(String imagename) {
        try {
            Path imagePath = this.fileStorageLocation.resolve(imagename).normalize();
-            InputStream is = new FileInputStream(imagePath.toFile());
+            try (InputStream is = new FileInputStream(imagePath.toFile())) {
                ByteArrayOutputStream buffer = new ByteArrayOutputStream();
                int read;
                byte[] data = new byte[(int) imagePath.toFile().length()];
                while ((read = is.read(data, 0, data.length)) != -1) {
                    buffer.write(data, 0, read);
                }
-            ByteArrayOutputStream buffer = new ByteArrayOutputStream();
+                return AttachmentImageResponseDto.builder()
-            int read;
+                        .mimeType(getContentType(imagename))
-            byte[] data = new byte[(int) imagePath.toFile().length()];
+                        .data(data)
-            while ((read = is.read(data, 0, data.length)) != -1) {
+                        .build();
                buffer.write(data, 0, read);
            }
            is.close();
            return AttachmentImageResponseDto.builder()
                    .mimeType(getContentType(imagename))
                    .data(data)
                    .build();
        } catch (FileNotFoundException | NoSuchFileException ex) {
            // 파일을 찾을 수 없습니다.
            throw new BusinessMessageException(messageUtil.getMessage("valid.file.not_found"));
--- a/backend/user-service/src/main/java/org/egovframe/cloud/userservice/api/user/UserApiController.java
+++ b/backend/user-service/src/main/java/org/egovframe/cloud/userservice/api/user/UserApiController.java
@@ -225,7 +225,7 @@ public class UserApiController {
     * @return String 사용자 id
     */
    @PutMapping("/api/v1/users/info/{userId}")
-    public String updateInfo(@PathVariable String userId, @RequestBody @Valid UserUpdateInfoRequestDto requestDto) {
+    public String updateInfo(@PathVariable String userId, @RequestBody @Valid UserUpdateInfoRequestDto requestDto) throws BusinessMessageException {
        final String authUserId = SecurityContextHolder.getContext().getAuthentication().getName();
        if (!authUserId.equals(userId)) {
            throw new BusinessMessageException(messageUtil.getMessage("err.access.denied"));
--- a/backend/user-service/src/main/java/org/egovframe/cloud/userservice/config/UserPasswordChangeEmailTemplate.java
+++ b/backend/user-service/src/main/java/org/egovframe/cloud/userservice/config/UserPasswordChangeEmailTemplate.java
@@ -5,7 +5,7 @@ public class UserPasswordChangeEmailTemplate {
    /**
     * 객체 생성 금지
     */
-    private UserPasswordChangeEmailTemplate() {
+    private UserPasswordChangeEmailTemplate() throws IllegalStateException {
        throw new IllegalStateException("user password change email template class");
    }
--- a/backend/user-service/src/main/java/org/egovframe/cloud/userservice/domain/role/Authorization.java
+++ b/backend/user-service/src/main/java/org/egovframe/cloud/userservice/domain/role/Authorization.java
@@ -10,6 +10,7 @@ import org.hibernate.annotations.OnDelete;
 import org.hibernate.annotations.OnDeleteAction;
 import javax.persistence.*;
 import java.util.ArrayList;
 import java.util.List;
 /**
@@ -89,7 +90,7 @@ public class Authorization extends BaseEntity {
        this.urlPatternValue = urlPatternValue;
        this.httpMethodCode = httpMethodCode;
        this.sortSeq = sortSeq;
-        this.roleAuthorizations = roleAuthorizations;
+        this.roleAuthorizations = new ArrayList<>(roleAuthorizations);
    }
    /**
--- a/backend/user-service/src/main/java/org/egovframe/cloud/userservice/service/user/UserService.java
+++ b/backend/user-service/src/main/java/org/egovframe/cloud/userservice/service/user/UserService.java
@@ -596,32 +596,9 @@ public class UserService extends AbstractService implements UserDetailsService {
     */
    @Transactional
    public UserResponseDto loadUserBySocial(UserLoginRequestDto requestDto) {
        /*SocialUserResponseDto socialUserDto = getSocialUserInfo(requestDto.getProvider(), requestDto.getToken());
        UserResponseDto userDto = getAndSaveSocialUser(requestDto.getProvider(), socialUserDto);
        if (userDto == null) {
            throw new BusinessMessageException(getMessage("err.user.join.social"));
        }
        if (!UserStateCode.NORMAL.getKey().equals(userDto.getUserStateCode())) {
            throw new BusinessMessageException(getMessage("err.user.state.cantlogin"));
        }
        return userDto;*/
        SocialUserResponseDto socialUserResponseDto = getSocialUserInfo(requestDto.getProvider(), requestDto.getToken());
        User user = findSocialUser(requestDto.getProvider(), socialUserResponseDto.getId());
        /*// 이메일이 없는 사용자가 이메일을 직접입력하고 나중에 원래 이메일을 가지고 있는 사용자가 다른 접근할 경우 문제가 생길 수 있음
        if (user == null && socialUserResponseDto.getEmail() != null) {
            user = userRepository.findByEmail(socialUserResponseDto.getEmail()).orElse(null);
            // 공급자 id로 조회되지 않지만 이메일로 조회되는 경우 공급자 id 등록
            if (user != null) {
                user.setSocial(requestDto.getProvider(), socialUserResponseDto.getId());
            }
        }*/
        if (user == null) {
            throw new BusinessException(ErrorCode.REQUIRE_USER_JOIN);
        }