취약점 처리

src/main/java/com/lemon/lifecenter/controller/BoardController.java

@@ -1,8 +1,6 @@
 package com.lemon.lifecenter.controller;
 
 import java.io.File;
-import java.io.FileNotFoundException;
-import java.io.FileOutputStream;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;
@@ -112,6 +110,17 @@ public class BoardController extends LifeCenterController {
 //            return "/common/blank";
 //        }
         
+        String noticeInsertTime = LifeCenterSessionController.getSession(request, "noticeInsertTime");
+        long time = LifeCenterFunction.getNowUnixTimeStamp();
+        if( noticeInsertTime != null && !noticeInsertTime.equals( "" ) ) {
+            long i = Long.parseLong( noticeInsertTime );
+            
+            if( ( time - i  ) < 61 ) {
+                LifeCenterFunction.scriptMessage( response, "alertBox({ txt : '<font style=\"color:red\">자동화공격방지</font><br/>게시글 작성 후 60초 동안 작성이 불가능 합니다<br/>"+( 61 - ( time - i  ) )+"초 이후 작성 가능', callBack : function(){ history.back(); } });" );
+                return "/common/blank";
+            }
+        }
+        
         if (file.isEmpty() == false) {
             UUID uuid = UUID.randomUUID();
             String fileName = file.getOriginalFilename();
@@ -119,6 +128,19 @@ public class BoardController extends LifeCenterController {
             String ext = FilenameUtils.getExtension(fileName);
             String saveFileName = uuid + "." + ext;
             
+            final String[] PERMISSION_FILE_EXT_ARR = {"gif","png","jpg","jpeg","doc","docx","xls","xlsx","hwp","pdf", "txt"};
+            boolean extFlag = false;
+            for( int i = 0; i < PERMISSION_FILE_EXT_ARR.length; i++ ) {
+                if( PERMISSION_FILE_EXT_ARR[i].equals( ext.toLowerCase() ) ) {
+                    extFlag = true;
+                }
+            }
+            
+            if( extFlag == false ) {
+                LifeCenterFunction.scriptMessage( response, "alertBox({ txt : \"등록할수 없는 확장자입니다.<br/>.gif, .jpg, .png, .jpeg, .doc, .docx, .xls, .xlsx, .hwp, .pdf, .txt 확장자만 등록가능\", callBack : function(){ history.back(); } });" );
+                return "/common/blank";
+            }
+            
             try {
                 String tempPath = config.filePath;
                 File saveFile = new File(tempPath, saveFileName);
@@ -160,6 +182,8 @@ public class BoardController extends LifeCenterController {
             }
         }
         
+        LifeCenterSessionController.setSession( request, "noticeInsertTime", String.valueOf( time ) );
+        
         return "redirect:/notice/content?postSeq=" + dto.getPostSeq();
     }
     
@@ -398,6 +422,17 @@ public class BoardController extends LifeCenterController {
             MultipartFile file) {
         String sesId = LifeCenterSessionController.getSession(request, "sesId");
         
+        String qnaInsertTime = LifeCenterSessionController.getSession(request, "qnaInsertTime");
+        long time = LifeCenterFunction.getNowUnixTimeStamp();
+        if( qnaInsertTime != null && !qnaInsertTime.equals( "" ) ) {
+            long i = Long.parseLong( qnaInsertTime );
+            
+            if( ( time - i  ) < 61 ) {
+                LifeCenterFunction.scriptMessage( response, "alertBox({ txt : '<font style=\"color:red\">자동화공격방지</font><br/>게시글 작성 후 60초 동안 작성이 불가능 합니다<br/>"+( 61 - ( time - i  ) )+"초 이후 작성 가능', callBack : function(){ history.back(); } });" );
+                return "/common/blank";
+            }
+        }
+        
         if (file.isEmpty() == false) {
             UUID uuid = UUID.randomUUID();
             String fileName = file.getOriginalFilename();
@@ -446,6 +481,8 @@ public class BoardController extends LifeCenterController {
             }
         }
         
+        LifeCenterSessionController.setSession( request, "qnaInsertTime", String.valueOf( time ) );
+        
         return "redirect:/qna/content?postSeq=" + dto.getPostSeq();
     }
     

src/main/webapp/WEB-INF/jsp/include/paging.jsp

@@ -1,21 +1,26 @@
 <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
+
+<c:set value='${param.url}' var="pagingUrl" />
+<c:set value='${param.preFix}' var="pagingPreFix" />
+
 
 <c:if test="${param.total > 0 && param.endPageNo > 1}">
 <nav aria-label="Page navigation">
     <ul class="pagination pagination-mb">
-        <li class="page-item"><a class="page-link" href="?${param.url}&${param.preFix}=${param.prevPageNo}"><i class="fas fa-angle-left"></i></a></li>
+        <li class="page-item"><a class="page-link" href="?${fn:escapeXml(pagingUrl)}&${fn:escapeXml(pagingPreFix)}=${param.prevPageNo}"><i class="fas fa-angle-left"></i></a></li>
         <c:forEach var="i" begin="${param.startPageNo}" end="${param.endPageNo}" step="1">
             <c:choose>
                 <c:when test="${i eq param.pageNo}">
-                    <li class="page-item active"><a class="page-link" href="?${param.url}&${param.preFix}=${i}">${i}</a></li>
+                    <li class="page-item active"><a class="page-link" href="?${fn:escapeXml(pagingUrl)}&${fn:escapeXml(pagingPreFix)}=${i}">${i}</a></li>
                 </c:when>
                 <c:otherwise>
-                    <li class="page-item"><a class="page-link" href="?${param.url}&${param.preFix}=${i}">${i}</a></li>
+                    <li class="page-item"><a class="page-link" href="?${fn:escapeXml(pagingUrl)}&${fn:escapeXml(pagingPreFix)}=${i}">${i}</a></li>
                 </c:otherwise>
             </c:choose>
         </c:forEach>
-        <li class="page-item"><a class="page-link" href="?${param.url}&${param.preFix}=${param.nextPageNo}"><i class="fas fa-angle-right"></i></a></li>
+        <li class="page-item"><a class="page-link" href="?${fn:escapeXml(pagingUrl)}&${fn:escapeXml(pagingPreFix)}=${param.nextPageNo}"><i class="fas fa-angle-right"></i></a></li>
     </ul>
 </nav>
 </c:if>

src/main/webapp/WEB-INF/jsp/notice/new.jsp

@@ -44,7 +44,14 @@ $( function(){
 function checkFile(el){
     // files 로 해당 파일 정보 얻기.
     var file = el.files;
-
+    var ext = $( el ).val().split('.').pop().toLowerCase();
+    //.gif, .jpg, .png, .jpeg, .doc, .docx, .xls, .xlsx, .hwp, .pdf 확장자 체크
+//     if($.inArray(ext, ['gif','png','jpg','jpeg','doc','docx','xls','xlsx','hwp','pdf', 'txt']) == -1) {
+//       alertBox({ txt : "등록할수 없는 확장자입니다.<br/>.gif, .jpg, .png, .jpeg, .doc, .docx, .xls, .xlsx, .hwp, .pdf, .txt 확장자만 등록가능" });
+//       $( el ).val("");
+//       return false;
+//     }
+    
     // file[0].size 는 파일 용량 정보입니다.
     if(file[0].size > 1024 * 1024 * 10){
         // 용량 초과시 경고후 해당 파일의 용량도 보여줌

src/main/webapp/WEB-INF/jsp/staff/list.jsp

@@ -53,7 +53,7 @@
                                                             </select>
                                                         </div>
                                                         <div class="col-6">
-                                                            <input type="text" class="form-control" name="sData" value="${sData}" placeholder="">
+                                                            <input type="text" class="form-control" name="sData" value='<c:out value="${sData}"/>' placeholder="">
                                                         </div>
                                                     </div>
                                                 </td>

src/main/webapp/WEB-INF/jsp/staffTotal/edit.jsp

@@ -139,7 +139,7 @@ $( function(){
                                                     <td>정원</td>
                                                     <td><input type="text" name="staffCapacity" class="form-control text-center" value="<c:out value="${list.staffCapacity}" />"></td>
                                                     <td><input type="text" name="unavailableTotal" class="form-control text-center" value="<c:out value="${list.unavailableTotal}" />" placeholder="0"></td>
-                                                    <td><input type="text" name="unavailableNote" class="form-control text-left" value="<c:out value="${list.unavailableNote}" />"></td>
+                                                    <td><input type="text" name="unavailableNote" class="form-control text-left" placeholder="40자 까지 입력가능" maxlength="40" value="<c:out value="${list.unavailableNote}" />"></td>
                                                 </tr>
                                             </tbody>
                                         </table>