From 0b205a7171d1c53ec7015bc942cf8804bbdca02c Mon Sep 17 00:00:00 2001 From: seonghobae <8172694+seonghobae@users.noreply.github.com> Date: Mon, 6 Jul 2026 21:10:37 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20=EC=A0=95?= =?UTF-8?q?=EC=A0=81=20HTML=20=EC=83=9D=EC=84=B1=EA=B8=B0=EB=A5=BC=20?= =?UTF-8?q?=EC=9C=84=ED=95=9C=20CSP=20=EB=B3=B4=EC=95=88=20=EA=B0=95?= =?UTF-8?q?=ED=99=94=20(Nonce=20=EB=8F=84=EC=9E=85)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - `unsafe-inline`을 제거하고 무작위 Nonce(난스)를 사용한 강력한 스타일 CSP 적용 - 기존 인라인 스타일을 CSS 클래스 `.item-link` 및 `.empty-msg`로 분리 - HTML 템플릿의 XSS 방어 계층(Defense in Depth) 강화 - 관련 `MainTest.kt` 테스트 코드 업데이트 완료 --- .jules/sentinel.md | 1 + src/main/kotlin/html4tree/main.kt | 26 +++++++++++++++++++++----- src/test/kotlin/html4tree/MainTest.kt | 3 ++- 3 files changed, 24 insertions(+), 6 deletions(-) diff --git a/.jules/sentinel.md b/.jules/sentinel.md index 6c61284..edf0698 100644 --- a/.jules/sentinel.md +++ b/.jules/sentinel.md @@ -22,3 +22,4 @@ **Vulnerability:** Defense in Depth (CSP Missing) **Learning:** Even when inputs are properly escaped, statically generated HTML that displays file/directory structures should implement a Content Security Policy (CSP) to provide an extra layer of defense against potential XSS bypasses. **Prevention:** Include a strict CSP meta tag (e.g., `default-src 'none'; style-src 'unsafe-inline';`) in auto-generated HTML headers when external scripts or resources are not required. +## 2024-06-29 - [html4tree] Strict CSP Nonce Implementation\n**Vulnerability:** Weak Content Security Policy (CSP)\n**Learning:** The previous CSP allowed `style-src 'unsafe-inline'`, which is generally discouraged as it can weaken defense-in-depth against XSS attacks. The html4tree output relied on `style="..."` attributes.\n**Prevention:** A secure random `nonce` is now generated per execution using `java.security.SecureRandom` and applied to the ` """ @@ -159,7 +175,7 @@ fun process_dir(curr_dir: File){ - +