Skip to content

Comments

fix(#392): 브랜드 상세 조회 API에서 브랜드의 유저의 ID가 나올 수 있도록 변경#393

Merged
Yoonchulchung merged 1 commit intodevfrom
fix/392-brand-api
Feb 12, 2026
Merged

fix(#392): 브랜드 상세 조회 API에서 브랜드의 유저의 ID가 나올 수 있도록 변경#393
Yoonchulchung merged 1 commit intodevfrom
fix/392-brand-api

Conversation

@Yoonchulchung
Copy link
Member

@Yoonchulchung Yoonchulchung commented Feb 12, 2026

Summary

브랜드 상세 조회 API에서 브랜드의 유저의 ID가 나올 수 있도록 변경

Changes

  • 브랜드 상세 조회 API: 브랜드의 유저의 ID 출력하도록 Dto 와 서비스 로직 수정

Type of Change

  • Bug fix (기존 기능에 영향을 주지 않는 버그 수정)
  • New feature (기존 기능에 영향을 주지 않는 새로운 기능 추가)
  • Breaking change (기존 기능에 영향을 주는 수정)
  • Refactoring (기능 변경 없는 코드 개선)
  • Documentation (문서 수정)
  • Chore (빌드, 설정 등 기타 변경)
  • Release (develop → main 배포)

Related Issues

#392

@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Feb 12, 2026

Summary of Changes

Hello @Yoonchulchung, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

이 Pull Request는 브랜드 상세 조회 API의 응답에 브랜드 소유자의 사용자 ID를 포함하도록 개선합니다. 기존에는 브랜드 정보만 제공되었으나, 이제는 해당 브랜드를 등록한 사용자의 ID까지 함께 제공되어 API 사용자가 브랜드와 사용자 간의 관계를 명확하게 파악할 수 있게 됩니다. 이는 특정 브랜드와 관련된 사용자 정보를 필요로 하는 기능에 유용할 것입니다.

Highlights

  • 브랜드 상세 조회 API 응답 개선: 브랜드 상세 조회 API 응답 DTO에 brandUserId 필드를 추가하여 브랜드 소유자의 ID를 포함하도록 변경되었습니다.
  • 브랜드 서비스 로직 업데이트: BrandService에서 브랜드 상세 정보를 조회할 때, BrandDetailResponseDtobrandUserId 필드에 해당 브랜드 소유자의 ID를 설정하는 로직이 추가되었습니다.
Changelog
  • src/main/java/com/example/RealMatch/brand/application/service/BrandService.java
    • getBrandDetail 메서드에서 BrandDetailResponseDto를 빌드할 때 brandUserId를 설정하는 로직이 추가되었습니다.
  • src/main/java/com/example/RealMatch/brand/presentation/dto/response/BrandDetailResponseDto.java
    • 브랜드 소유자의 ID를 나타내는 brandUserId 필드가 추가되었습니다.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@Yoonchulchung Yoonchulchung merged commit e25fec3 into dev Feb 12, 2026
1 check passed
@Yoonchulchung Yoonchulchung deleted the fix/392-brand-api branch February 12, 2026 10:40
gemini-code-assist[bot]
gemini-code-assist bot reviewed Feb 12, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This PR introduces changes to include the brand owner's user ID in the brand detail API response. However, a high-severity information disclosure vulnerability has been identified. Exposing internal user IDs can lead to Insecure Direct Object Reference (IDOR) attacks and user enumeration. It is strongly recommended to remediate this by not exposing internal identifiers in API responses, especially in DTOs where fields should only be added if securely required by a consumer. If a public identifier is required, consider using a non-sequential, non-guessable alternative. Additionally, if an ID were to be exposed, ensuring consistency in data types, such as using Long for ID fields, would be beneficial.

src/main/java/com/example/RealMatch/brand/application/service/BrandService.java
BrandDetailResponseDto.BrandDetailResponseDtoBuilder responseBuilder = BrandDetailResponseDto.builder()
.userId(currentUserId)
.brandName(brand.getBrandName())
.brandUserId(String.valueOf(brand.getUser().getId()))
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

This line exposes the internal userId of the brand's owner, leading to a high-severity information disclosure vulnerability. This can enable Insecure Direct Object Reference (IDOR) attacks and user enumeration. It is strongly recommended to avoid exposing internal database identifiers in API responses. If a unique identifier is required, use a non-sequential, non-guessable public identifier (e.g., a UUID). The code review also suggested changing the type from String to Long for brandUserId to align with brand.getUser().getId()'s return type, but the primary concern is the exposure of the ID itself.

src/main/java/com/example/RealMatch/brand/presentation/dto/response/BrandDetailResponseDto.java
public class BrandDetailResponseDto {
private Long userId;
private String brandName;
private String brandUserId;
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

This brandUserId field is intended to carry a sensitive internal user ID. Exposing internal user IDs in API responses is a high-severity security risk, potentially leading to Insecure Direct Object Reference (IDOR) vulnerabilities and other attacks. It is strongly recommended to remove this field entirely to avoid exposing internal identifiers. Additionally, as per repository rule 'Avoid adding fields to a DTO if they are not currently required by a consumer', this field should not be present if it's not securely required by a consumer. While the code review suggested changing its type to Long for consistency, the primary concern is the exposure of the ID itself.

References
  1. Avoid adding fields to a DTO if they are not currently required by a consumer, even if they were present in a previous version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Yoonchulchung