fix: @DecodeHash의 raw numeric ID 통과 취약점 수정 및 검증 인터셉터 도입 (#55)

Author: ckdals4600

src/main/java/com/sofa/linkiving/domain/link/controller/LinkApi.java

@@ -149,7 +149,7 @@ BaseResponse<SummaryRes> updateSummary(
 	);
 
 	@Operation(summary = "요약 상태 조회", description = "링크 요약 상태를 조회합니다.")
-	BaseResponse<SummaryStatusRes<?>> getSummaryStatus(
+	BaseResponse<SummaryStatusRes> getSummaryStatus(
 		Long id,
 		Member member
 	);

src/main/java/com/sofa/linkiving/domain/link/controller/LinkController.java

@@ -189,11 +189,11 @@ public BaseResponse<Void> retrySummary(
 
 	@Override
 	@GetMapping("/{id}/summary-status")
-	public BaseResponse<SummaryStatusRes<?>> getSummaryStatus(
+	public BaseResponse<SummaryStatusRes> getSummaryStatus(
 		@PathVariable @DecodeHash Long id,
 		@AuthMember Member member
 	) {
-		SummaryStatusRes<?> response = linkFacade.getSummaryStatus(id, member);
+		SummaryStatusRes response = linkFacade.getSummaryStatus(id, member);
 		return BaseResponse.success(response, "요약 상태 조회 완료");
 	}
 }

src/main/java/com/sofa/linkiving/domain/link/dto/response/LinkCardRes.java

@@ -4,8 +4,8 @@
 import com.sofa.linkiving.domain.link.dto.internal.LinkDto;
 import com.sofa.linkiving.domain.link.entity.Link;
 import com.sofa.linkiving.domain.link.entity.Summary;
-import com.sofa.linkiving.global.config.jackson.HashidsSerializer;
 import com.sofa.linkiving.domain.link.enums.SummaryStatus;
+import com.sofa.linkiving.global.config.jackson.HashidsSerializer;
 
 import io.swagger.v3.oas.annotations.media.Schema;
 

src/main/java/com/sofa/linkiving/domain/link/dto/response/LinkDetailRes.java

@@ -4,8 +4,8 @@
 import com.sofa.linkiving.domain.link.dto.internal.LinkDto;
 import com.sofa.linkiving.domain.link.entity.Link;
 import com.sofa.linkiving.domain.link.entity.Summary;
-import com.sofa.linkiving.global.config.jackson.HashidsSerializer;
 import com.sofa.linkiving.domain.link.enums.SummaryStatus;
+import com.sofa.linkiving.global.config.jackson.HashidsSerializer;
 
 import io.swagger.v3.oas.annotations.media.Schema;
 

src/main/java/com/sofa/linkiving/domain/link/dto/response/LinkRes.java

@@ -2,8 +2,8 @@
 
 import com.fasterxml.jackson.databind.annotation.JsonSerialize;
 import com.sofa.linkiving.domain.link.entity.Link;
-import com.sofa.linkiving.global.config.jackson.HashidsSerializer;
 import com.sofa.linkiving.domain.link.enums.SummaryStatus;
+import com.sofa.linkiving.global.config.jackson.HashidsSerializer;
 
 import io.swagger.v3.oas.annotations.media.Schema;
 

src/main/java/com/sofa/linkiving/global/config/web/DecodeHashInterceptor.java

@@ -0,0 +1,88 @@
+package com.sofa.linkiving.global.config.web;
+
+import java.lang.reflect.Method;
+import java.lang.reflect.Parameter;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.springframework.stereotype.Component;
+import org.springframework.util.ClassUtils;
+import org.springframework.util.StringUtils;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.method.HandlerMethod;
+import org.springframework.web.servlet.HandlerInterceptor;
+import org.springframework.web.servlet.HandlerMapping;
+
+import com.sofa.linkiving.global.config.annotation.DecodeHash;
+import com.sofa.linkiving.global.util.HashidsUtils;
+
+import jakarta.annotation.Nonnull;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+@Component
+@RequiredArgsConstructor
+public class DecodeHashInterceptor implements HandlerInterceptor {
+
+	private final HashidsUtils hashidsUtils;
+
+	@Override
+	public boolean preHandle(@Nonnull HttpServletRequest request, @Nonnull HttpServletResponse response,
+		@Nonnull Object handler) {
+		if (!(handler instanceof HandlerMethod handlerMethod)) {
+			return true;
+		}
+
+		Object attribute = request.getAttribute(HandlerMapping.URI_TEMPLATE_VARIABLES_ATTRIBUTE);
+		Map<String, String> pathVars = new HashMap<>();
+
+		if (attribute instanceof Map<?, ?> map) {
+			for (Map.Entry<?, ?> entry : map.entrySet()) {
+				if (entry.getKey() instanceof String key && entry.getValue() instanceof String value) {
+					pathVars.put(key, value);
+				}
+			}
+		}
+
+		Method specificMethod = ClassUtils.getMostSpecificMethod(handlerMethod.getMethod(),
+			handlerMethod.getBeanType());
+
+		for (Parameter param : specificMethod.getParameters()) {
+
+			if (param.isAnnotationPresent(DecodeHash.class)) {
+				String rawValue = null;
+
+				if (param.isAnnotationPresent(PathVariable.class)) {
+					PathVariable pv = param.getAnnotation(PathVariable.class);
+					String name = StringUtils.hasText(pv.value()) ? pv.value() : pv.name();
+					if (!StringUtils.hasText(name)) {
+						name = param.getName();
+					}
+
+					if (name != null) {
+						rawValue = pathVars.get(name);
+					}
+				} else if (param.isAnnotationPresent(RequestParam.class)) {
+					RequestParam rp = param.getAnnotation(RequestParam.class);
+					String name = StringUtils.hasText(rp.value()) ? rp.value() : rp.name();
+					if (!StringUtils.hasText(name)) {
+						name = param.getName();
+					}
+
+					if (name != null) {
+						rawValue = request.getParameter(name);
+					}
+				}
+
+				if (StringUtils.hasText(rawValue)) {
+					hashidsUtils.decode(rawValue);
+				}
+			}
+		}
+		return true;
+	}
+}

src/main/java/com/sofa/linkiving/global/config/web/HashidsFormatterFactory.java

@@ -1,7 +1,5 @@
 package com.sofa.linkiving.global.config.web;
 
-import java.text.ParseException;
-import java.util.Locale;
 import java.util.Set;
 
 import org.springframework.format.AnnotationFormatterFactory;
@@ -12,6 +10,7 @@
 import com.sofa.linkiving.global.config.annotation.DecodeHash;
 import com.sofa.linkiving.global.util.HashidsUtils;
 
+import jakarta.annotation.Nonnull;
 import lombok.RequiredArgsConstructor;
 
 @Component
@@ -20,28 +19,21 @@ public class HashidsFormatterFactory implements AnnotationFormatterFactory<Decod
 
 	private final HashidsUtils hashidsUtils;
 
+	@Nonnull
 	@Override
 	public Set<Class<?>> getFieldTypes() {
 		return Set.of(Long.class);
 	}
 
+	@Nonnull
 	@Override
-	public Parser<?> getParser(DecodeHash annotation, Class<?> fieldType) {
-		return new Parser<Long>() {
-			@Override
-			public Long parse(String text, Locale locale) throws ParseException {
-				return hashidsUtils.decode(text);
-			}
-		};
+	public Parser<?> getParser(@Nonnull DecodeHash annotation, @Nonnull Class<?> fieldType) {
+		return (Parser<Long>)(text, locale) -> hashidsUtils.decode(text);
 	}
 
+	@Nonnull
 	@Override
-	public Printer<?> getPrinter(DecodeHash annotation, Class<?> fieldType) {
-		return new Printer<Long>() {
-			@Override
-			public String print(Long object, Locale locale) {
-				return hashidsUtils.encode(object);
-			}
-		};
+	public Printer<?> getPrinter(@Nonnull DecodeHash annotation, @Nonnull Class<?> fieldType) {
+		return (Printer<Long>)(object, locale) -> hashidsUtils.encode(object);
 	}
 }

src/main/java/com/sofa/linkiving/global/config/web/WebMvcConfig.java

@@ -8,6 +8,7 @@
 import org.springframework.scheduling.concurrent.ThreadPoolTaskExecutor;
 import org.springframework.web.method.support.HandlerMethodArgumentResolver;
 import org.springframework.web.servlet.config.annotation.AsyncSupportConfigurer;
+import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
 import com.sofa.linkiving.security.resolver.AuthMemberArgumentResolver;
@@ -20,6 +21,7 @@ public class WebMvcConfig implements WebMvcConfigurer {
 
 	private final AuthMemberArgumentResolver authMemberArgumentResolver;
 	private final HashidsFormatterFactory hashidsFormatterFactory;
+	private final DecodeHashInterceptor decodeHashInterceptor;
 
 	@Override
 	public void addArgumentResolvers(List<HandlerMethodArgumentResolver> resolvers) {
@@ -45,4 +47,9 @@ public AsyncTaskExecutor mvcTaskExecutor() {
 	public void addFormatters(FormatterRegistry registry) {
 		registry.addFormatterForFieldAnnotation(hashidsFormatterFactory);
 	}
+
+	@Override
+	public void addInterceptors(InterceptorRegistry registry) {
+		registry.addInterceptor(decodeHashInterceptor);
+	}
 }

src/main/java/com/sofa/linkiving/global/error/code/CommonErrorCode.java

@@ -19,7 +19,8 @@ public enum CommonErrorCode implements ErrorCode {
 	METHOD_NOT_ALLOWED(HttpStatus.METHOD_NOT_ALLOWED, "C-007", "허용되지 않은 HTTP 메소드입니다."),
 	FORBIDDEN(HttpStatus.FORBIDDEN, "C-008", "접근이 허용되지 않았습니다."),
 	NULL_POINTER(HttpStatus.INTERNAL_SERVER_ERROR, "C-009", "NullPointerException이 발생했습니다."),
-	HTTP_MEDIA_NOT_SUPPORT(HttpStatus.UNSUPPORTED_MEDIA_TYPE, "C-010", "지원하지 않는 미디어입니다.");
+	HTTP_MEDIA_NOT_SUPPORT(HttpStatus.UNSUPPORTED_MEDIA_TYPE, "C-010", "지원하지 않는 미디어입니다."),
+	INVALID_IDENTIFIER(HttpStatus.BAD_REQUEST, "C-011", "유효하지 않은 식별자입니다.");
 
 	private final HttpStatus status;
 	private final String code;

src/main/java/com/sofa/linkiving/global/util/HashidsUtils.java

@@ -4,7 +4,13 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
 
+import com.sofa.linkiving.global.error.code.CommonErrorCode;
+import com.sofa.linkiving.global.error.exception.BusinessException;
+
+import lombok.extern.slf4j.Slf4j;
+
 @Component
+@Slf4j
 public class HashidsUtils {
 	private final Hashids hashids;
 
@@ -30,7 +36,7 @@ public Long decode(String hash) {
 		long[] decoded = hashids.decode(hash);
 
 		if (decoded.length == 0) {
-			throw new IllegalArgumentException("유효하지 않은 식별자입니다.");
+			throw new BusinessException(CommonErrorCode.INVALID_IDENTIFIER);
 		}
 		return decoded[0];
 	}