CLAP-372 Feat: javascript 스키마 검증 로직 추가

joowojr · joowojr · commit 48aaec61fa90 · 2025-02-12T15:27:45.000+09:00
<footer> - 관련: #475
diff --git a/src/main/java/clap/server/adapter/inbound/xss/XssRequestWrapper.java b/src/main/java/clap/server/adapter/inbound/xss/XssRequestWrapper.java
@@ -7,7 +7,6 @@
 import org.jsoup.safety.Safelist;
 
 import java.util.Arrays;
-import java.util.Enumeration;
 import java.util.Optional;
 
 @Slf4j
@@ -29,44 +28,29 @@ public String[] getParameterValues(String parameter) {
     @Override
     public String getParameter(String parameter) {
         String value = super.getParameter(parameter);
-        log.info("Original parameter [{}]: {}", parameter, value);
-
         String sanitizedValue = Optional.ofNullable(value)
                 .map(this::sanitize)
                 .orElse(null);
-
+        log.info("Original parameter [{}]: {}", parameter, value);
         log.info("Sanitized parameter [{}]: {}", parameter, sanitizedValue);
         return sanitizedValue;
     }
 
     @Override
     public String getHeader(String name) {
-        String originalValue = super.getHeader(name);
-        String sanitizedValue = sanitize(originalValue);
-        log.debug("Original header [{}]: {}", name, originalValue);
-        log.debug("Sanitized header [{}]: {}", name, sanitizedValue);
-        return sanitizedValue;
-    }
-
-    @Override
-    public Enumeration<String> getHeaderNames() {
-        return new Enumeration<String>() {
-            private Enumeration<String> enum1 = XssRequestWrapper.super.getHeaderNames();
-            @Override
-            public boolean hasMoreElements() {
-                return enum1.hasMoreElements();
-            }
-            @Override
-            public String nextElement() {
-                return sanitize(enum1.nextElement());
-            }
-        };
+        return Optional.ofNullable(super.getHeader(name))
+                .map(this::sanitize)
+                .orElse(null);
     }
 
 
-    private String sanitize(String value) {
-        return Optional.ofNullable(value)
-            .map(str -> Jsoup.clean(str, Safelist.basic()))
-            .orElse(null);
+    public String sanitize(String value) {
+        if (value == null) {
+            return null;
+        }
+        if (value.toLowerCase().startsWith("javascript:")) {
+            return "";
+        }
+        return Jsoup.clean(value, Safelist.basic());
     }
 }
diff --git a/src/main/java/clap/server/config/jackson/JacksonConfig.java b/src/main/java/clap/server/config/jackson/JacksonConfig.java
@@ -31,6 +31,12 @@ public static class JsonHtmlXssDeserializer extends JsonDeserializer<String> {
         @Override
         public String deserialize(JsonParser p, DeserializationContext ctxt) throws IOException {
             String value = p.getText();
+            if (value == null) {
+                return null;
+            }
+            if (value.toLowerCase().startsWith("javascript:")) {
+                return "";
+            }
             return Jsoup.clean(value, Safelist.basic());
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,12 @@ public static class JsonHtmlXssDeserializer extends JsonDeserializer<String> {`
`31`	`31`	`@Override`
`32`	`32`	`public String deserialize(JsonParser p, DeserializationContext ctxt) throws IOException {`
`33`	`33`	`String value = p.getText();`
	`34`	`+ if (value == null) {`
	`35`	`+ return null;`
	`36`	`+ }`
	`37`	`+ if (value.toLowerCase().startsWith("javascript:")) {`
	`38`	`+ return "";`
	`39`	`+ }`
`34`	`40`	`return Jsoup.clean(value, Safelist.basic());`
`35`	`41`	`}`
`36`	`42`	`}`