CLAP-372 Feat: XSS 공격 방지를 위한 Configuration 클래스 추가

joowojr · joowojr · commit 443da9515df5 · 2025-02-12T14:44:32.000+09:00
<footer> - 관련: #475
diff --git a/src/main/java/clap/server/config/jackson/JacksonConfig.java b/src/main/java/clap/server/config/jackson/JacksonConfig.java
@@ -0,0 +1,37 @@
+package clap.server.config.jackson;
+
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.JsonDeserializer;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.module.SimpleModule;
+import lombok.extern.slf4j.Slf4j;
+import org.jsoup.Jsoup;
+import org.jsoup.safety.Safelist;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+import java.io.IOException;
+
+// XSS 방지를 위한 Jackson 설정
+@Slf4j
+@Configuration
+public class JacksonConfig {
+
+    @Bean
+    public ObjectMapper objectMapper() {
+        ObjectMapper mapper = new ObjectMapper();
+        SimpleModule module = new SimpleModule();
+        module.addDeserializer(String.class, new JsonHtmlXssDeserializer());
+        mapper.registerModule(module);
+        return mapper;
+    }
+
+    public static class JsonHtmlXssDeserializer extends JsonDeserializer<String> {
+        @Override
+        public String deserialize(JsonParser p, DeserializationContext ctxt) throws IOException {
+            String value = p.getText();
+            return Jsoup.clean(value, Safelist.basic());
+        }
+    }
+}
diff --git a/src/main/java/clap/server/config/web/WebConfig.java b/src/main/java/clap/server/config/web/WebConfig.java
@@ -0,0 +1,20 @@
+package clap.server.config.web;
+
+import clap.server.adapter.inbound.xss.XssPreventionFilter;
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.Ordered;
+
+@Configuration
+public class WebConfig {
+
+    @Bean
+    public FilterRegistrationBean<XssPreventionFilter> xssPreventionFilterRegistrationBean() {
+        FilterRegistrationBean<XssPreventionFilter> registrationBean = new FilterRegistrationBean<>();
+        registrationBean.setFilter(new XssPreventionFilter());
+        registrationBean.setOrder(Ordered.HIGHEST_PRECEDENCE);
+        registrationBean.addUrlPatterns("/*");
+        return registrationBean;
+    }
+}
