hyungi/TK-FB-Project
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: 보안 취약점 수정 및 XSS 방지 적용

Browse Source 
## 백엔드 보안 수정
- 하드코딩된 비밀번호 및 JWT 시크릿 폴백 제거
- SQL Injection 방지를 위한 화이트리스트 검증 추가
- 인증 미적용 API 라우트에 requireAuth 미들웨어 적용
- CSRF 보호 미들웨어 구현 (csrf.js)
- 파일 업로드 보안 유틸리티 추가 (fileUploadSecurity.js)
- 비밀번호 정책 검증 유틸리티 추가 (passwordValidator.js)

## 프론트엔드 XSS 방지
- api-base.js에 전역 escapeHtml() 함수 추가
- 17개 주요 JS 파일에 escapeHtml 적용:
  - tbm.js, daily-patrol.js, daily-work-report.js
  - task-management.js, workplace-status.js
  - equipment-detail.js, equipment-management.js
  - issue-detail.js, issue-report.js
  - vacation-common.js, worker-management.js
  - safety-report-list.js, nonconformity-list.js
  - project-management.js, workplace-management.js

## 정리
- 백업 폴더 및 빈 파일 삭제
- SECURITY_GUIDE.md 문서 추가

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Hyungi Ahn
2026-02-05 06:33:10 +09:00
parent 7c38c555f5
commit 36f110c90a
97 changed files with 2523 additions and 24267 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
api.hyungi.net/routes/projectRoutes.js
View File

@@ -2,23 +2,18 @@
const express = require('express');
const router = express.Router();
const projectController = require('../controllers/projectController');
const { requireAuth, requireMinLevel } = require('../middlewares/auth');
// CREATE
router.post('/', projectController.createProject);
// READ - 인증된 사용자
router.get('/', requireAuth, projectController.getAllProjects);
router.get('/active/list', requireAuth, projectController.getActiveProjects);
router.get('/:project_id', requireAuth, projectController.getProjectById);
// READ ALL
router.get('/', projectController.getAllProjects);
// CREATE/UPDATE - support_team 이상 권한 필요
router.post('/', requireAuth, requireMinLevel('support_team'), projectController.createProject);
router.put('/:project_id', requireAuth, requireMinLevel('support_team'), projectController.updateProject);
// READ ACTIVE ONLY (작업보고서용)
router.get('/active/list', projectController.getActiveProjects);
// READ ONE
router.get('/:project_id', projectController.getProjectById);
// UPDATE
router.put('/:project_id', projectController.updateProject);
// DELETE
router.delete('/:project_id', projectController.removeProject);
// DELETE - admin 이상 권한 필요
router.delete('/:project_id', requireAuth, requireMinLevel('admin'), projectController.removeProject);
module.exports = router;