Skip to content

hotfix #143

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
chat26666 merged 1 commit into from
Jul 5, 2025
Merged

hotfix #143

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/main/java/org/ezcode/codetest/common/security/config/SecurityConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,7 @@ public CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();

configuration.setAllowedOriginPatterns(List.of("*")); // patterns 를 써야됨
configuration.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "OPTIONS"));
configuration.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "OPTIONS","PATCH"));
configuration.setAllowedHeaders(List.of("*"));
configuration.setExposedHeaders(List.of("*"));
configuration.setAllowCredentials(true); // true 옵션 필요
Expand Down
2 changes: 2 additions & 0 deletions src/main/resources/templates/chat-page.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<head>
<script src="https://cdn.jsdelivr.net/npm/sockjs-client@1/dist/sockjs.min.js"></script>
<script src="https://cdn.jsdelivr.net/npm/[email protected]/lib/stomp.min.js"></script>
Comment on lines +4 to +5
Copy link

@coderabbitai coderabbitai bot Jul 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

CDN 스크립트에 SRI(Subresource Integrity) 해시를 추가해 공급망 공격을 방지하세요

외부 CDN 자원을 불러올 때는 무결성 검증을 위해 integritycrossorigin="anonymous" 속성을 추가하는 것이 보안 모범 사례입니다.

-<script src="https://cdn.jsdelivr.net/npm/sockjs-client@1/dist/sockjs.min.js"></script>
-<script src="https://cdn.jsdelivr.net/npm/[email protected]/lib/stomp.min.js"></script>
+<!-- TODO: real SRI 해시 값으로 교체 -->
+<script
+  src="https://cdn.jsdelivr.net/npm/sockjs-client@1/dist/sockjs.min.js"
+  integrity="sha384-<CALCULATED_HASH>"
+  crossorigin="anonymous"></script>
+<script
+  src="https://cdn.jsdelivr.net/npm/[email protected]/lib/stomp.min.js"
+  integrity="sha384-<CALCULATED_HASH>"
+  crossorigin="anonymous"></script>

적용 후 브라우저 캐시가 갱신되지 않을 경우 4xx 오류가 발생할 수 있으니 배포 전 로컬에서 무결성 해시가 올바른지 검증하세요.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
<script src="https://cdn.jsdelivr.net/npm/sockjs-client@1/dist/sockjs.min.js"></script>
<script src="https://cdn.jsdelivr.net/npm/[email protected]/lib/stomp.min.js"></script>
<!-- TODO: real SRI 해시 값으로 교체 -->
<script
src="https://cdn.jsdelivr.net/npm/sockjs-client@1/dist/sockjs.min.js"
integrity="sha384-<CALCULATED_HASH>"
crossorigin="anonymous"></script>
<script
src="https://cdn.jsdelivr.net/npm/[email protected]/lib/stomp.min.js"
integrity="sha384-<CALCULATED_HASH>"
crossorigin="anonymous"></script>
🤖 Prompt for AI Agents 
In src/main/resources/templates/chat-page.html at lines 4 to 5, the script tags
loading external CDN resources lack Subresource Integrity (SRI) attributes. To
fix this, generate the correct SRI hash for each CDN script and add the
integrity attribute along with crossorigin="anonymous" to both script tags.
Verify the hashes locally before deployment to avoid caching issues or 4xx
errors.

<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>EzCode 채팅방</title>
<link rel="stylesheet" href="/css/header.css" />
Expand Down