package kr.co.kihyun.text.hml; import java.io.*; import org.slf4j.Logger; import org.slf4j.LoggerFactory; public class VirtualHtml { private static final Logger LOG = LoggerFactory.getLogger(VirtualHtml.class); private String head; private String end; public VirtualHtml() { } public String getHead() { return head; } public String getEnd() { return end; } public void IOhandler(String a, String b) throws IOException { BufferedWriter bw = null; try { //v2. 4.경로 조작 및 자원 삽입_CWE-22/23/36/99 : Update by KWON,HAN // bw = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(b), "KSC5601")); // bw.write(getVirtualHtml(new FileInputStream(a))); // bw.flush(); // bw.close(); String svrFilename = b; if (svrFilename != null && !"".equals(svrFilename)) { // 수정 : 외부 입력값 필터링 svrFilename = svrFilename.replaceAll("/",""); svrFilename = svrFilename.replaceAll("\\",""); //svrFilename = svrFilename.replaceAll(".",""); //svrFilename = svrFilename.replaceAll("&",""); LOG.debug("v2. 4.경로 조작 및 자원 삽입_CWE-22/23/36/99 : VirtualHtml.IOhandler svrFilename={} / Not Test", svrFilename); bw = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(b), "KSC5601")); if (bw != null) { bw.write(getVirtualHtml(new FileInputStream(a))); bw.flush(); bw.close(); } } //================================================================ } catch (IOException ioex) { ioex.printStackTrace(); } finally { //v2 21.부적절한 자원 해제 (IO)_CWE-404 : Add by YOUNGJUN,CHO if (bw != null) { bw.close(); } //++++++++++++++++++++++++++++++++++++++++++++++++ } } public String getVirtualHtml(FileInputStream fis) throws IOException, UnsupportedEncodingException { InputStreamReader isr = null; BufferedReader br = null; String str = ""; String html = ""; int offset = 0; int opener_idx1 = 0; int closer_idx1 = 0; int opener_idx2 = 0; int closer_idx2 = 0; isr = new InputStreamReader(fis, "KSC5601"); //15.부적절한 자원 해제(Reader/Writer)_CWE-404 : Add by KWON,HAN try { //+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ if (!isr.ready()) return null; br = new BufferedReader(isr); //15.부적절한 자원 해제(Reader/Writer)_CWE-404 : Add by KWON,HAN } catch (IOException e) { e.printStackTrace(); } finally { isr.close(); } //+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ //v2 36.경쟁조건 : 검사시점과 사용시점 (File)_CWE-367 : Update by YOUNGJUN,CHO /* str = br.readLine(); while (str != null) { html = html + str + "\n"; str = br.readLine(); } */ while ((str = br.readLine()) != null) { html = html + str + "\n"; } //================================================ opener_idx1 = html.indexOf(""); opener_idx2 = html.lastIndexOf(""); if (opener_idx1 != -1) { this.head = html.substring(opener_idx1, closer_idx1 + 3); this.end = html.substring(opener_idx2, closer_idx2 + 3); } else { html.substring(offset, html.length()); } if (closer_idx2 == -1) { offset = closer_idx2 + 1; } br.close(); isr.close(); fis.close(); return html; } }