Skip to content

[ci/cd] refactor all of file#34

Merged
JangYeongHu merged 2 commits intodevelopfrom
ci/workflow-fourth-code-style
Dec 1, 2025
Merged

[ci/cd] refactor all of file#34
JangYeongHu merged 2 commits intodevelopfrom
ci/workflow-fourth-code-style

Conversation

@JangYeongHu
Copy link
Contributor

@JangYeongHu JangYeongHu commented Nov 30, 2025

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 30, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 1, 2025
View reviewed changes
src/main/java/opensource/bravest/global/config/SecurityConfig.java

http
// REST API 기본 세팅
.csrf(csrf -> csrf.disable()).cors(Customizer.withDefaults())

Check failure

Code scanning / CodeQL

Disabled Spring CSRF protection High

CSRF vulnerability due to protection being disabled.

Copilot Autofix

AI 3 months ago

How to, in general terms, fix the problem:
To fix this issue, CSRF protection should not be globally disabled as this weakens the security of the application. Instead, keep the CSRF protection enabled by removing the explicit .csrf(csrf -> csrf.disable()) line from the security configuration. If there are certain endpoints (such as stateless APIs or endpoints that never change state via browser requests) that genuinely need to bypass CSRF checks, those individual endpoints can be configured accordingly—but disabling it globally is risky.

Detailed recommendation for this file:
Edit the filterChain bean in SecurityConfig.java to remove .csrf(csrf -> csrf.disable()) from the security filter chain setup (line 53). This will restore Spring's default behavior of enabling CSRF protection. No additional imports/configuration changes are necessary unless the application exposes certain API endpoints that must be excluded from CSRF protection—in which case, use explicit csrf.ignoringRequestMatchers(...) instead of disabling CSRF globally.

Specific changes:

  • In src/main/java/opensource/bravest/global/config/SecurityConfig.java, remove or comment out .csrf(csrf -> csrf.disable()) from the builder chain in the filterChain method.
Suggested changeset 1
src/main/java/opensource/bravest/global/config/SecurityConfig.java

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/main/java/opensource/bravest/global/config/SecurityConfig.java b/src/main/java/opensource/bravest/global/config/SecurityConfig.java
--- a/src/main/java/opensource/bravest/global/config/SecurityConfig.java
+++ b/src/main/java/opensource/bravest/global/config/SecurityConfig.java
@@ -50,7 +50,7 @@
 
         http
                         // REST API 기본 세팅
-                        .csrf(csrf -> csrf.disable()).cors(Customizer.withDefaults())
+                        .cors(Customizer.withDefaults())
                         .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                         .httpBasic(basic -> basic.disable()).formLogin(form -> form.disable())
                         .logout(lo -> lo.disable()).requestCache(cache -> cache.disable())
EOF
@@ -50,7 +50,7 @@

http
// REST API 기본 세팅
.csrf(csrf -> csrf.disable()).cors(Customizer.withDefaults())
.cors(Customizer.withDefaults())
.sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.httpBasic(basic -> basic.disable()).formLogin(form -> form.disable())
.logout(lo -> lo.disable()).requestCache(cache -> cache.disable())
Copilot is powered by AI and may make mistakes. Always verify output.
@JangYeongHu JangYeongHu merged commit 4ce3f7d into develop Dec 1, 2025
5 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JangYeongHu