Skip to content

πŸ›‘οΈ Sentinel: [HIGH] λ³΄μ•ˆ ν–₯상 - CSP 'unsafe-inline' 제거 및 nonce 적용#105

Closed
seonghobae wants to merge 2 commits into
masterfrom
sentinel-csp-nonce-10642124570899679186
Closed

πŸ›‘οΈ Sentinel: [HIGH] λ³΄μ•ˆ ν–₯상 - CSP 'unsafe-inline' 제거 및 nonce 적용#105
seonghobae wants to merge 2 commits into
masterfrom
sentinel-csp-nonce-10642124570899679186

Conversation

@seonghobae

Copy link
Copy Markdown
Collaborator

πŸ›‘οΈ Sentinel: [HIGH] λ³΄μ•ˆ ν–₯상 - CSP 'unsafe-inline' 제거 및 nonce 적용

🚨 Severity: HIGH
πŸ’‘ Vulnerability: μ •μ μœΌλ‘œ μƒμ„±λ˜λŠ” HTML 파일의 Content Security Policy(CSP)에 unsafe-inline이 ν—ˆμš©λ˜μ–΄ μžˆμ–΄, CSS μΈμ μ…˜(CSS Injection) 곡격에 λŒ€ν•œ λ°©μ–΄κ°€ μ·¨μ•½ν–ˆμŠ΅λ‹ˆλ‹€.
🎯 Impact: μ•…μ˜μ μΈ 디렉토리/파일 이름 등을 톡해 인라인 μŠ€νƒ€μΌμ΄ μ£Όμž…λ  경우 μ œν•œλœ ν˜•νƒœμ˜ XSS 곡격이 κ°€λŠ₯ν•΄μ§ˆ 수 μžˆμŠ΅λ‹ˆλ‹€.
πŸ”§ Fix:

  1. 인라인 style="..." 속성을 μ œκ±°ν•˜κ³  .item-link, .empty-msg와 같은 CSS 클래슀둜 λŒ€μ²΄ν–ˆμŠ΅λ‹ˆλ‹€.
  2. 맀번 κ³ μœ ν•œ μ•”ν˜Έν•™μ  λ‚œμˆ˜(UUID 기반 nonce)λ₯Ό μƒμ„±ν•˜μ—¬ <style> νƒœκ·Έμ™€ CSP 메타 νƒœκ·Έμ— μΆ”κ°€ν•¨μœΌλ‘œμ¨ ν—ˆμš©λœ μŠ€νƒ€μΌλ§Œ λ Œλ”λ§λ˜λ„λ‘ μˆ˜μ •ν–ˆμŠ΅λ‹ˆλ‹€ (style-src 'nonce-...';).
    βœ… Verification: ./gradlew testλ₯Ό μ‹€ν–‰ν•˜μ—¬ ν…ŒμŠ€νŠΈκ°€ μ„±κ³΅μ μœΌλ‘œ 톡과함을 ν™•μΈν–ˆμœΌλ©°, 100% ν…ŒμŠ€νŠΈ 컀버리지λ₯Ό μœ μ§€ν•©λ‹ˆλ‹€. μƒμ„±λœ index.html νŒŒμΌμ— 인라인 μŠ€νƒ€μΌμ΄ μ—†μœΌλ©° nonceκ°€ μ˜¬λ°”λ₯΄κ²Œ μž‘λ™ν•¨μ„ κ²€μ¦ν–ˆμŠ΅λ‹ˆλ‹€.

PR created automatically by Jules for task 10642124570899679186 started by @seonghobae

- 정적 HTML 생성 μ‹œ XSS 취약점을 λ°©μ–΄ν•˜κΈ° μœ„ν•΄ Content Security Policy(CSP)μ—μ„œ 'unsafe-inline' μ§€μ‹œμ–΄λ₯Ό μ œκ±°ν•¨.
- 인라인 μŠ€νƒ€μΌ 속성을 CSS 클래슀둜 λŒ€μ²΄ν•¨ (`.item-link`, `.empty-msg`).
- λ™μ μœΌλ‘œ μƒμ„±λœ μ•”ν˜Έν•™μ  nonce(UUID)λ₯Ό `<style>` νƒœκ·Έμ™€ CSP 메타 νƒœκ·Έμ— μ μš©ν•˜μ—¬ ν—ˆμš©λœ μŠ€νƒ€μΌλ§Œ λ Œλ”λ§λ˜λ„λ‘ 함.
- κ΄€λ ¨ ν…ŒμŠ€νŠΈλ₯Ό μ—…λ°μ΄νŠΈν•˜μ—¬ 100% ν…ŒμŠ€νŠΈ 컀버리지λ₯Ό μœ μ§€ν•¨.
@google-labs-jules

Copy link
Copy Markdown

πŸ‘‹ Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a πŸ‘€ emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.


For security, I will only act on instructions from the user who triggered this task.

- 정적 HTML 생성 μ‹œ XSS 취약점을 λ°©μ–΄ν•˜κΈ° μœ„ν•΄ Content Security Policy(CSP)μ—μ„œ 'unsafe-inline' μ§€μ‹œμ–΄λ₯Ό μ œκ±°ν•¨.
- 인라인 μŠ€νƒ€μΌ 속성을 CSS 클래슀둜 λŒ€μ²΄ν•¨ (`.item-link`, `.empty-msg`).
- λ™μ μœΌλ‘œ μƒμ„±λœ μ•”ν˜Έν•™μ  nonce(UUID)λ₯Ό `<style>` νƒœκ·Έμ™€ CSP 메타 νƒœκ·Έμ— μ μš©ν•˜μ—¬ ν—ˆμš©λœ μŠ€νƒ€μΌλ§Œ λ Œλ”λ§λ˜λ„λ‘ 함.
- κ΄€λ ¨ ν…ŒμŠ€νŠΈλ₯Ό μ—…λ°μ΄νŠΈν•˜μ—¬ 100% ν…ŒμŠ€νŠΈ 컀버리지λ₯Ό μœ μ§€ν•¨.
@seonghobae

Copy link
Copy Markdown
Collaborator Author

Closing as superseded during org-wide PR triage. Keeping #111 as the canonical PR for the same overlapping topic: CSP unsafe-inline/nonce hardening. This PR is stale/conflicted or has review blockers, so retaining one current PR reduces duplicated review and merge conflict work.

@seonghobae seonghobae closed this Jul 7, 2026
@google-labs-jules

Copy link
Copy Markdown

Closing as superseded during org-wide PR triage. Keeping #111 as the canonical PR for the same overlapping topic: CSP unsafe-inline/nonce hardening. This PR is stale/conflicted or has review blockers, so retaining one current PR reduces duplicated review and merge conflict work.

Understood. Acknowledging that this work is now obsolete and stopping work on this task.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant