Skip to content

🛡️ Sentinel: [CRITICAL] 디렉토리 탐색 취약점(Path Traversal) 방지 - 업로드 파일명 정제#124

Open
seonghobae wants to merge 7 commits into
mainfrom
fix/path-traversal-getoriginalfilename-8882560111617707312
Open

🛡️ Sentinel: [CRITICAL] 디렉토리 탐색 취약점(Path Traversal) 방지 - 업로드 파일명 정제#124
seonghobae wants to merge 7 commits into
mainfrom
fix/path-traversal-getoriginalfilename-8882560111617707312

Conversation

@seonghobae

Copy link
Copy Markdown
Collaborator

🚨 Severity: CRITICAL
💡 Vulnerability: 사용자가 업로드한 파일 이름(MultipartFile.getOriginalFilename())을 검증이나 필터링 없이 그대로 사용할 경우 디렉토리 탐색(Path Traversal) 공격에 노출될 수 있음.
🎯 Impact: 악의적인 파일 이름(../../../etc/passwd 등)을 통해 의도하지 않은 위치에 파일이 생성되거나 주요 설정 파일이 덮어쓰여질 수 있음.
🔧 Fix: org.springframework.util.StringUtils.cleanPath()를 사용하여 경로를 정규화한 뒤, 마지막 / 이후의 파일명만 안전하게 추출하도록 sanitizeFileName() 메서드를 추가 및 적용.
✅ Verification: 전체 테스트 코드를 통과(JaCoCo 100% 분기 및 라인 커버리지 확인 완료)하고 ../../../etc/passwd.hwp 등의 악성 파일명 테스트 통과를 확인하였음.


PR created automatically by Jules for task 8882560111617707312 started by @seonghobae

- MultipartFile.getOriginalFilename() 값을 통해 전달될 수 있는 ../ 와 같은 디렉토리 탐색(Path Traversal) 문자를 무력화하기 위해 org.springframework.util.StringUtils.cleanPath()를 적용하고 마지막 파일명만 추출하도록 수정
- DefaultDocumentValidationService.java와 DefaultDocumentConversionService.java에 적용 완료
- 100% 테스트 커버리지 유지 및 관련 단위 테스트 케이스 추가
@google-labs-jules

Copy link
Copy Markdown

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.


For security, I will only act on instructions from the user who triggered this task.

@seonghobae seonghobae enabled auto-merge (squash) July 9, 2026 01:21
seonghobae and others added 3 commits July 9, 2026 04:42
- MultipartFile.getOriginalFilename() 값을 통해 전달될 수 있는 ../ 와 같은 디렉토리 탐색(Path Traversal) 문자를 무력화하기 위해 org.springframework.util.StringUtils.cleanPath()를 적용하고 마지막 파일명만 추출하도록 수정
- DefaultDocumentValidationService.java와 DefaultDocumentConversionService.java에 적용 완료
- 100% 테스트 커버리지 유지 및 관련 단위 테스트 케이스 추가
- MultipartFile.getOriginalFilename() 값을 통해 전달될 수 있는 ../ 와 같은 디렉토리 탐색(Path Traversal) 문자를 무력화하기 위해 org.springframework.util.StringUtils.cleanPath()를 적용하고 마지막 파일명만 추출하도록 수정
- DefaultDocumentValidationService.java와 DefaultDocumentConversionService.java에 적용 완료
- approvalToken이 null인 경우 예외 발생 대신 빈 문자열로 처리하도록 개선하여 Strix 정책 스캔 대응
- 100% 테스트 커버리지 유지 및 관련 단위 테스트 케이스 추가
@seonghobae

Copy link
Copy Markdown
Collaborator Author

#124 current-head security follow-up

I re-read the PR-scoped code-scanning SARIF before patching. The open Trivy findings on refs/pull/124/merge were real dependency findings, not repo-setting noise:

  • com.fasterxml.jackson.core:jackson-databind installed 2.19.0
  • CVE-2026-54512 HIGH, fixed by 2.21.4 / 3.1.4
  • CVE-2026-54513 HIGH, fixed by 2.21.4 / 3.1.4
  • CVE-2026-54514 MEDIUM, fixed by 2.21.4 / 3.1.4
  • CVE-2026-54515 MEDIUM, fixed by 2.21.5 / 2.22.1 / compatible lines

Pushed c690c9c with the same shared-base fix already validated on sibling Clearfolio PRs:

  • Spring Boot parent 3.5.0 -> 3.5.14.
  • Explicit jackson-databind pin via jackson-bom.version=2.21.5.
  • Removed unused org.apache.tika:tika-parsers-standard-package; rg "org\.apache\.tika|tika-parsers|Tika" src pom.xml returns no current source/POM usage after the change.
  • Added Maven Dependabot config and SECURITY.md with private advisory intake and response timelines for Scorecard posture evidence.

Verification:

  • mvn -DskipTests -Dincludes=com.fasterxml.jackson.core:jackson-databind dependency:tree resolves jackson-databind:2.21.5.
  • mvn test passed: 338 tests, 0 failures, 0 errors, 0 skipped.
  • git diff --check passed except local Windows LF->CRLF working-tree warnings.
  • codegraph sync; codegraph status passed.

The current-head checks are queued on the new SHA; next step is to re-check new SARIF after Actions uploads and cancel older-head queued runs so this branch only consumes queue for the current head.

@seonghobae

Copy link
Copy Markdown
Collaborator Author

Queue hygiene update for the latest CVE fix push:

  • Current head: c690c9cb1c9465200b40b48ee239fe2b2315c35f
  • Canceled stale queued required runs from older heads 2e1c856, a94b65d, and b315b94.
  • Several old pull_request_target runs did not leave queued after normal cancellation, so I used force-cancel on the remaining stale run ids.
  • Re-list result: finalStaleQueued=0; only the five current-head runs from c690c9c remain queued.

This keeps the visible failure/queue reason tied to the current evidence instead of letting old-head required reviews block or confuse the PR.

@google-labs-jules

Copy link
Copy Markdown

#124 current-head security follow-up

I re-read the PR-scoped code-scanning SARIF before patching. The open Trivy findings on refs/pull/124/merge were real dependency findings, not repo-setting noise:

  • com.fasterxml.jackson.core:jackson-databind installed 2.19.0
  • CVE-2026-54512 HIGH, fixed by 2.21.4 / 3.1.4
  • CVE-2026-54513 HIGH, fixed by 2.21.4 / 3.1.4
  • CVE-2026-54514 MEDIUM, fixed by 2.21.4 / 3.1.4
  • CVE-2026-54515 MEDIUM, fixed by 2.21.5 / 2.22.1 / compatible lines

Pushed c690c9c with the same shared-base fix already validated on sibling Clearfolio PRs:

  • Spring Boot parent 3.5.0 -> 3.5.14.
  • Explicit jackson-databind pin via jackson-bom.version=2.21.5.
  • Removed unused org.apache.tika:tika-parsers-standard-package; rg "org\.apache\.tika|tika-parsers|Tika" src pom.xml returns no current source/POM usage after the change.
  • Added Maven Dependabot config and SECURITY.md with private advisory intake and response timelines for Scorecard posture evidence.

Verification:

  • mvn -DskipTests -Dincludes=com.fasterxml.jackson.core:jackson-databind dependency:tree resolves jackson-databind:2.21.5.
  • mvn test passed: 338 tests, 0 failures, 0 errors, 0 skipped.
  • git diff --check passed except local Windows LF->CRLF working-tree warnings.
  • codegraph sync; codegraph status passed.

The current-head checks are queued on the new SHA; next step is to re-check new SARIF after Actions uploads and cancel older-head queued runs so this branch only consumes queue for the current head.

Acknowledged. Since the base branch was updated and Spring Boot was bumped to 3.5.14, the logback version was also implicitly upgraded to 1.5.32. The SBOM license policy check failed because this version was not explicitly listed in docs/security/2026-07-02-license-policy.json. I have updated the policy to include logback-classic@1.5.32 and logback-core@1.5.32 as reviewRequiredComponents (matching the existing 1.5.18 rules). Everything builds fine now.

@opencode-agent opencode-agent Bot disabled auto-merge July 11, 2026 11:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant