fix: 보안 취약점 수정 및 XSS 방지 적용

## 백엔드 보안 수정 - 하드코딩된 비밀번호 및 JWT 시크릿 폴백 제거 - SQL Injection 방지를 위한 화이트리스트 검증 추가 - 인증 미적용 API 라우트에 requireAuth 미들웨어 적용 - CSRF 보호 미들웨어 구현 (csrf.js) - 파일 업로드 보안 유틸리티 추가 (fileUploadSecurity.js) - 비밀번호 정책 검증 유틸리티 추가 (passwordValidator.js) ## 프론트엔드 XSS 방지 - api-base.js에 전역 escapeHtml() 함수 추가 - 17개 주요 JS 파일에 escapeHtml 적용: - tbm.js, daily-patrol.js, daily-work-report.js - task-management.js, workplace-status.js - equipment-detail.js, equipment-management.js - issue-detail.js, issue-report.js - vacation-common.js, worker-management.js - safety-report-list.js, nonconformity-list.js - project-management.js, workplace-management.js ## 정리 - 백업 폴더 및 빈 파일 삭제 - SECURITY_GUIDE.md 문서 추가 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-05 06:33:10 +09:00
parent 7c38c555f5
commit 36f110c90a
97 changed files with 2523 additions and 24267 deletions
--- a/web-ui/js/equipment-management.js
+++ b/web-ui/js/equipment-management.js
@@ -135,9 +135,13 @@ function populateWorkplaceFilters() {
  const filterWorkplace = document.getElementById('filterWorkplace');
  const modalWorkplace = document.getElementById('workplaceId');

-  const workplaceOptions = workplaces.map(w =>
-    `<option value="${w.workplace_id}">${w.category_name ? w.category_name + ' - ' : ''}${w.workplace_name}</option>`
-  ).join('');
+  const workplaceOptions = workplaces.map(w => {
+    const safeId = parseInt(w.workplace_id) || 0;
+    const categoryName = escapeHtml(w.category_name || '');
+    const workplaceName = escapeHtml(w.workplace_name || '');
+    const label = categoryName ? categoryName + ' - ' + workplaceName : workplaceName;
+    return `<option value="${safeId}">${label}</option>`;
+  }).join('');

  if (filterWorkplace) filterWorkplace.innerHTML = '<option value="">전체</option>' + workplaceOptions;
  if (modalWorkplace) modalWorkplace.innerHTML = '<option value="">선택 안함</option>' + workplaceOptions;
@@ -148,9 +152,10 @@ function populateTypeFilter() {
  const filterType = document.getElementById('filterType');
  if (!filterType) return;

-  const typeOptions = equipmentTypes.map(type =>
-    `<option value="${type}">${type}</option>`
-  ).join('');
+  const typeOptions = equipmentTypes.map(type => {
+    const safeType = escapeHtml(type || '');
+    return `<option value="${safeType}">${safeType}</option>`;
+  }).join('');
  filterType.innerHTML = '<option value="">전체</option>' + typeOptions;
 }

@@ -189,33 +194,44 @@ function renderEquipmentList() {
          </tr>
        </thead>
        <tbody>
-          ${equipments.map(eq => `
-            <tr>
-              <td class="eq-col-code">${eq.equipment_code || '-'}</td>
-              <td class="eq-col-name" title="${eq.equipment_name || ''}">${eq.equipment_name || '-'}</td>
-              <td class="eq-col-model" title="${eq.model_name || ''}">${eq.model_name || '-'}</td>
-              <td class="eq-col-spec" title="${eq.specifications || ''}">${eq.specifications || '-'}</td>
-              <td>${eq.manufacturer || '-'}</td>
-              <td>${eq.supplier || '-'}</td>
-              <td class="eq-col-price">${eq.purchase_price ? formatPrice(eq.purchase_price) : '-'}</td>
-              <td class="eq-col-date">${eq.installation_date ? formatDate(eq.installation_date) : '-'}</td>
-              <td>
-                <span class="eq-status eq-status-${eq.status}">
-                  ${getStatusText(eq.status)}
-                </span>
-              </td>
-              <td>
-                <div class="eq-actions">
-                  <button class="eq-btn-action eq-btn-edit" onclick="editEquipment(${eq.equipment_id})" title="수정">
-                    ✏️
-                  </button>
-                  <button class="eq-btn-action eq-btn-delete" onclick="deleteEquipment(${eq.equipment_id})" title="삭제">
-                    🗑️
-                  </button>
-                </div>
-              </td>
-            </tr>
-          `).join('')}
+          ${equipments.map(eq => {
+            const safeId = parseInt(eq.equipment_id) || 0;
+            const safeCode = escapeHtml(eq.equipment_code || '-');
+            const safeName = escapeHtml(eq.equipment_name || '-');
+            const safeModel = escapeHtml(eq.model_name || '-');
+            const safeSpec = escapeHtml(eq.specifications || '-');
+            const safeManufacturer = escapeHtml(eq.manufacturer || '-');
+            const safeSupplier = escapeHtml(eq.supplier || '-');
+            const validStatuses = ['active', 'maintenance', 'inactive'];
+            const safeStatus = validStatuses.includes(eq.status) ? eq.status : 'inactive';
+            return `
+              <tr>
+                <td class="eq-col-code">${safeCode}</td>
+                <td class="eq-col-name" title="${safeName}">${safeName}</td>
+                <td class="eq-col-model" title="${safeModel}">${safeModel}</td>
+                <td class="eq-col-spec" title="${safeSpec}">${safeSpec}</td>
+                <td>${safeManufacturer}</td>
+                <td>${safeSupplier}</td>
+                <td class="eq-col-price">${eq.purchase_price ? formatPrice(eq.purchase_price) : '-'}</td>
+                <td class="eq-col-date">${eq.installation_date ? formatDate(eq.installation_date) : '-'}</td>
+                <td>
+                  <span class="eq-status eq-status-${safeStatus}">
+                    ${getStatusText(eq.status)}
+                  </span>
+                </td>
+                <td>
+                  <div class="eq-actions">
+                    <button class="eq-btn-action eq-btn-edit" onclick="editEquipment(${safeId})" title="수정">
+                      ✏️
+                    </button>
+                    <button class="eq-btn-action eq-btn-delete" onclick="deleteEquipment(${safeId})" title="삭제">
+                      🗑️
+                    </button>
+                  </div>
+                </td>
+              </tr>
+            `;
+          }).join('')}
        </tbody>
      </table>
    </div>