Fix: 24년 보안패치

.gitignore

@@ -37,3 +37,4 @@ bin/
 
 # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml #
 hs_err_pid*
+/.factorypath

src/main/java/egovframework/com/cmm/resolver/EgovSecurityArgumentResolver.java

@@ -0,0 +1,51 @@
+package egovframework.com.cmm.resolver;
+
+import java.util.Iterator;
+
+import org.springframework.core.MethodParameter;
+import org.springframework.web.bind.support.WebDataBinderFactory;
+import org.springframework.web.context.request.NativeWebRequest;
+import org.springframework.web.method.support.HandlerMethodArgumentResolver;
+import org.springframework.web.method.support.ModelAndViewContainer;
+
+/**
+ * Map타입 적용 파라미터 복호화를 위한 Custom ArgumentResolver 클래스
+ * 
+ * @author 표준프레임워크팀 이삼섭
+ * @since 2024.07.09
+ * @version 1.0
+ * @see
+ *
+ *      <pre>
+ * << 개정이력(Modification Information) >>
+ *
+ *   수정일          수정자        수정내용
+ *  ----------     --------    ---------------------------
+ *  2024.07.09     신용호        Map 타입에서 noteId 복호화 적용을 위한 ArgumentResolver 추가
+ *
+ *      </pre>
+ */
+
+public class EgovSecurityArgumentResolver implements HandlerMethodArgumentResolver {
+
+	@Override
+	public boolean supportsParameter(MethodParameter parameter) {
+
+		return EgovSecurityMap.class.isAssignableFrom(parameter.getParameterType());
+	}
+
+	@Override 
+	public Object resolveArgument(MethodParameter parameter
+									, ModelAndViewContainer mavContainer
+									, NativeWebRequest webRequest
+									, WebDataBinderFactory binderFactory) throws Exception {
+
+		EgovSecurityMap securityMap = new EgovSecurityMap();
+		for(Iterator<String> iterator = webRequest.getParameterNames(); iterator.hasNext();) {
+			String key = iterator.next();
+			securityMap.put(key, webRequest.getParameter(key));
+		}
+		return securityMap;
+	}
+
+}

src/main/java/egovframework/com/cmm/resolver/EgovSecurityMap.java

@@ -0,0 +1,57 @@
+package egovframework.com.cmm.resolver;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import egovframework.com.cmm.web.EgovComUtlController;
+
+/**
+ * Map타입 적용 파라미터 복호화를 위한 EgovSecurityMap 클래스
+ * 
+ * @author 표준프레임워크팀 신용호
+ * @since 2024.07.09
+ * @version 4.2
+ * @see
+ *
+ *      <pre>
+ * << 개정이력(Modification Information) >>
+ *
+ *   수정일          수정자        수정내용
+ *  ----------     --------    ---------------------------
+ *  2024.07.09     신용호        Map 타입에서 noteId 복호화 적용을 위한 EgovSecurityMap 추가
+ *
+ *      </pre>
+ */
+
+public class EgovSecurityMap {
+
+	private static final Logger LOGGER = LoggerFactory.getLogger(EgovSecurityMap.class);
+	Map<String, String> map = new HashMap<String, String>();
+
+	public String get(String key) {
+
+		return map.get(key);
+	}
+
+	public void put(String key, String value) {
+		// 특정 암호화된 파라미터 복호화 처리
+		switch (key) {
+			case "noteId":
+			case "noteTrnsmitId":
+			case "noteRecptnId":
+			case "reprtId":
+				LOGGER.debug("===> {} : {}",key,value);
+				value = EgovComUtlController.decryptId(value);
+				break;
+		}
+		map.put(key, value);
+	}
+
+	public String toString() {
+		return map.toString();
+	}
+
+}

src/main/java/egovframework/com/cmm/web/EgovBindingInitializer.java

@@ -22,6 +22,7 @@
  *   수정일          수정자        수정내용
  *  ----------     --------    ---------------------------
  *  2022.12.22     신용호        atchFileId 파라미터 추가 보완
+ *  2024.07.05     신용호        reprtId/noteId/noteTrnsmitId/noteRecptnId 파라미터 추가 보완
  *
  *      </pre>
  */
@@ -36,6 +37,11 @@ public void initBinder(WebDataBinder binder) {
 		binder.registerCustomEditor(String.class, new StringTrimmerEditor(false));
 
 		binder.registerCustomEditor(String.class, "atchFileId", new EgovAtchFileIdPropertyEditor());
+
+		binder.registerCustomEditor(String.class, "reprtId", new EgovCipherIdPropertyEditor()); // 메모보고/주간/월간 보고
+		binder.registerCustomEditor(String.class, "noteId", new EgovCipherIdPropertyEditor()); // 쪽지관리
+		binder.registerCustomEditor(String.class, "noteTrnsmitId", new EgovCipherIdPropertyEditor()); // 쪽지관리
+		binder.registerCustomEditor(String.class, "noteRecptnId", new EgovCipherIdPropertyEditor()); // 쪽지관리
 	}
 
 }

src/main/java/egovframework/com/cmm/web/EgovCipherIdPropertyEditor.java

@@ -0,0 +1,37 @@
+package egovframework.com.cmm.web;
+
+import java.beans.PropertyEditorSupport;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+class EgovCipherIdPropertyEditor extends PropertyEditorSupport {
+
+	private static final Logger LOGGER = LoggerFactory.getLogger(EgovCipherIdPropertyEditor.class);
+
+	public void setAsText(String text) throws IllegalArgumentException {
+		LOGGER.debug("===>>> setText : "+text);
+		String decryptText = "";
+		if (text != null && !"".equals(text) ) {
+			try {
+				String encText = URLEncoder.encode(text, StandardCharsets.UTF_8.name());
+				decryptText = EgovComUtlController.decryptId(encText);
+			} catch (Exception e) {
+				LOGGER.debug(e.getMessage());
+				decryptText = "CIPHER_ID_DECRIPT_EXCEPTION_01";
+			}
+		}
+		this.setValue(decryptText);
+
+	}
+
+
+	public String getAsText() {
+		LOGGER.debug("===>>> getText : "+getValue());
+		return String.valueOf(getValue());
+
+	}		
+
+}

src/main/java/egovframework/com/cmm/web/EgovComUtlController.java

@@ -1,19 +1,21 @@
 package egovframework.com.cmm.web;
 
+import java.io.UnsupportedEncodingException;
+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
 import java.util.List;
 
 import javax.annotation.Resource;
 
+import org.egovframe.rte.fdl.cryptography.EgovEnvCryptoService;
+import org.egovframe.rte.fdl.property.EgovPropertyService;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 
-import com.raonsecure.omnione.core.eoscommander.util.StringUtils;
-
 import egovframework.com.cmm.EgovWebUtil;
-import org.egovframe.rte.fdl.property.EgovPropertyService;
 
 /**
  * @Class Name : EgovComUtlController.java
@@ -28,6 +30,7 @@
  *   2019.04.25  신용호      moveToPage() 화이트리스트 처리
  *   2022.11.11  김혜준      시큐어코딩 처리
  *   2023.05.23  신용호      moveToPage() 추가 보완 조치
+ *   2024.07.08  신용호      decryptId(), encryptId() 추가
  *
  *  @author 공통서비스 개발팀 조재영
  *  @since 2009.03.02
@@ -42,13 +45,23 @@ public class EgovComUtlController {
     //private EgovUserManageService egovUserManageService;
 	private static final Logger LOGGER = LoggerFactory.getLogger(EgovComUtlController.class);
 
+	/** 암호화서비스 */
+	private static EgovEnvCryptoService cryptoService;
+
+
 	@Resource(name = "egovPageLinkWhitelist")
     protected List<String> egovWhitelist;
 
     /** EgovPropertyService */
     @Resource(name = "propertiesService")
     protected EgovPropertyService propertiesService;
 
+	@Resource(name = "egovEnvCryptoService")
+	public void setEgovEnvCryptoService(EgovEnvCryptoService cryptoService) {
+		this.cryptoService = cryptoService;
+	}
+
+
     /**
 	 * JSP 호출작업만 처리하는 공통 함수
 	 */
@@ -92,4 +105,41 @@ public String validate(){
 		return "egovframework/com/cmm/validator";
 	}
 
+
+	/**
+	 * 암호화 문자열을 복호화 하는 메서드.
+	 * @param source 암호화 문자열
+	 * @return 원본 문자열
+	 */
+	public static String decryptId(String base64CipherId) {
+		String returnVal = "CIPHER_ID_DECRIPT_EXCEPTION_02";
+		if (base64CipherId!=null && !"".equals(base64CipherId)) {
+			try {
+				returnVal = cryptoService.decrypt(base64CipherId);
+			} catch (Exception e) {
+				LOGGER.debug(e.getMessage());
+			}
+		}
+		return returnVal;
+	}
+
+	/**
+	 * 원본 문자열을 암호화 하는 메서드.
+	 * @param source 원본 문자열
+	 * @return 암호화 문자열(Base64 Format, UrlDecode)
+	 */
+	public static String encryptId(String plainTextId) {
+		String returnVal = "";
+		if (plainTextId!=null && !"".equals(plainTextId)) {
+			returnVal = cryptoService.encrypt(plainTextId);
+			try {
+				returnVal = URLDecoder.decode(returnVal, StandardCharsets.UTF_8.name());
+			} catch (UnsupportedEncodingException e) {
+				returnVal = "";
+				LOGGER.error("UrlDecode error when encrypting ID");
+			}
+		}
+		return returnVal;
+	}
+
 }

src/main/java/egovframework/com/cop/smt/mrm/service/EgovMemoReprtService.java

@@ -97,6 +97,6 @@ public interface EgovMemoReprtService {
 	 * 
 	 * @param memoReprt
 	 */
-	public void deleteMemoReprt(MemoReprt memoReprt) throws Exception;
+	public void deleteMemoReprt(MemoReprtVO memoReprtVO) throws Exception;
 
 }

src/main/java/egovframework/com/cop/smt/mrm/service/impl/EgovMemoReprtServiceImpl.java

@@ -168,8 +168,8 @@ public void insertMemoReprt(MemoReprt memoReprt) throws Exception{
 	 * 
 	 * @param memoReprt
 	 */
-	public void deleteMemoReprt(MemoReprt memoReprt) throws Exception{
-		memoReprtDAO.deleteMemoReprt(memoReprt);
+	public void deleteMemoReprt(MemoReprtVO memoReprtVO) throws Exception{
+		memoReprtDAO.deleteMemoReprt(memoReprtVO);
 	}
 
 }

src/main/java/egovframework/com/cop/smt/mrm/service/impl/MemoReprtDAO.java

@@ -149,8 +149,8 @@ public void insertMemoReprt(MemoReprt memoReprt) throws Exception{
 	 * 
 	 * @param memoReprt
 	 */
-	public void deleteMemoReprt(MemoReprt memoReprt) throws Exception{
-		delete("MemoReprtDAO.deleteMemoReprt", memoReprt);
+	public void deleteMemoReprt(MemoReprtVO memoReprtVO) throws Exception{
+		delete("MemoReprtDAO.deleteMemoReprt", memoReprtVO);
 	}
 
 	/**

src/main/java/egovframework/com/cop/smt/mrm/web/EgovMemoReprtController.java

@@ -181,17 +181,20 @@ public String selectMemoReprtList(@ModelAttribute("searchVO") MemoReprtVO memoRe
 	 */
     @RequestMapping("/cop/smt/mrm/selectMemoReprt.do")
 	public String selectMemoReprt(@ModelAttribute("memoReprtVO") MemoReprtVO memoReprtVO, ModelMap model) throws Exception{
-    	MemoReprt memoReprt = memoReprtService.selectMemoReprt(memoReprtVO);
-		model.addAttribute("memoReprt", memoReprt);
-
-    	// 1. 로그인 객체 선언
-		LoginVO loginVO = (LoginVO)EgovUserDetailsHelper.getAuthenticatedUser();
+
    	 	// KISA 보안취약점 조치 (2018-12-10, 신용호)
         Boolean isAuthenticated = EgovUserDetailsHelper.isAuthenticated();
 
         if(!isAuthenticated) {
             return "redirect:/uat/uia/egovLoginUsr.do";
         }
+
+        // 1. 로그인 객체 선언
+ 		LoginVO loginVO = (LoginVO)EgovUserDetailsHelper.getAuthenticatedUser();
+
+        memoReprtVO.setSearchId(loginVO == null ? "" : EgovStringUtil.isNullToString(loginVO.getUniqId()));
+        MemoReprt memoReprt = memoReprtService.selectMemoReprt(memoReprtVO);
+		model.addAttribute("memoReprt", memoReprt);
 
 		model.addAttribute("uniqId", loginVO == null ? "" : EgovStringUtil.isNullToString(loginVO.getUniqId()));
 
@@ -255,6 +258,11 @@ public String modifyMemoReprt(@ModelAttribute("memoReprtVO") MemoReprtVO memoRep
     		model.addAttribute("message", egovMessageSource.getMessage("fail.common.login"));
         	return "redirect:/uat/uia/egovLoginUsr.do";
     	}
+
+    	// 1. 로그인 객체 선언
+		LoginVO loginVO = (LoginVO)EgovUserDetailsHelper.getAuthenticatedUser();
+
+		memoReprtVO.setSearchId(loginVO == null ? "" : EgovStringUtil.isNullToString(loginVO.getUniqId()));
 
     	MemoReprtVO resultVO = memoReprtService.selectMemoReprt(memoReprtVO);
 		resultVO.setSearchCnd(memoReprtVO.getSearchCnd());
@@ -423,6 +431,11 @@ public String deleteMemoReprt(@ModelAttribute("memoReprtVO") MemoReprtVO memoRep
         	return "redirect:/uat/uia/egovLoginUsr.do";
     	}
 
+    	// 1. 로그인 객체 선언
+		LoginVO loginVO = (LoginVO)EgovUserDetailsHelper.getAuthenticatedUser();
+
+		memoReprtVO.setSearchId(loginVO == null ? "" : EgovStringUtil.isNullToString(loginVO.getUniqId()));
+
     	// 첨부파일 삭제를 위한 ID 생성 start....
 		String _atchFileId = memoReprtVO.getAtchFileId();