Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http, RememberMeServ
.requestMatchers("/api/auth/password-reset/**").permitAll()
.requestMatchers("/api/config/public").permitAll()
.requestMatchers("/auth-login.html", "/auth-signup.html").permitAll()
.requestMatchers("/admin/**", "/api/admin/**").hasRole("ADMIN")
.requestMatchers("/admin/**", "/api/admin/**", "/api/v2/admin/**").hasRole("ADMIN")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

현재 /api/v2/admin/** 경로를 수동으로 추가하여 보안 취약점을 해결하셨습니다. 하지만 이러한 방식은 향후 /api/v3/admin/**와 같이 새로운 버전의 API가 추가될 때 다시 보안 설정이 누락될 위험이 있습니다. 관리자 API의 경로 패턴이 일정한 규칙(예: /api/{version}/admin/**)을 따른다면, /api/**/admin/**와 같은 와일드카드 패턴을 사용하여 모든 버전의 관리자 API를 일관되게 보호하고 유지보수성을 높이는 것을 권장합니다.

Suggested change
.requestMatchers("/admin/**", "/api/admin/**", "/api/v2/admin/**").hasRole("ADMIN")
.requestMatchers("/admin/**", "/api/**/admin/**").hasRole("ADMIN")

.requestMatchers("/swagger-ui/**", "/v3/api-docs/**", "/api-docs/**", "/swagger-ui.html").permitAll()
.requestMatchers("/actuator/**").permitAll()
.requestMatchers("/api/groups/**").authenticated()
Expand Down
Loading