fix(security): 전체 서비스 보안 점검 — XSS·인가·토큰·헤더·에러마스킹 일괄 수정
Phase 1 CRITICAL XSS: - marked.parse() → DOMPurify.sanitize() (system3 ai-assistant, issues-management) - toast innerHTML에 escapeHtml 적용 (system1 api-base, system3 common-header) - onclick 핸들러 → data 속성 + addEventListener (system2 issue-detail) Phase 2 HIGH 인가: - getUserBalance 본인확인 추가 (tksupport vacationController) Phase 3 HIGH 토큰+CSP: - localStorage 토큰 저장 제거 — 쿠키 전용 (7개 서비스) - unsafe-eval CSP 제거 (system1 security.js) Phase 4 MEDIUM: - nginx 보안 헤더 추가 (8개 서비스) - 500 에러 메시지 마스킹 (5개 API) - path traversal 방지 (system3 file_service.py) - cookie fallback 데드코드 제거 (4개 auth.js) - /login/form rate limiting 추가 (sso-auth) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Hyungi Ahn
@@ -773,10 +773,6 @@
|
||||
ssoCookie.set('sso_user', JSON.stringify(data.user), 7);
|
||||
if (data.refresh_token) ssoCookie.set('sso_refresh_token', data.refresh_token, 30);
|
||||
|
||||
localStorage.setItem('sso_token', data.access_token);
|
||||
localStorage.setItem('sso_user', JSON.stringify(data.user));
|
||||
if (data.refresh_token) localStorage.setItem('sso_refresh_token', data.refresh_token);
|
||||
|
||||
var redirect = new URLSearchParams(location.search).get('redirect');
|
||||
if (redirect && isSafeRedirect(redirect)) {
|
||||
window.location.href = redirect;
|
||||
|
||||
@@ -31,11 +31,11 @@
|
||||
*/
|
||||
window.SSOAuth = {
|
||||
getToken: function() {
|
||||
return cookieGet('sso_token') || localStorage.getItem('sso_token');
|
||||
return cookieGet('sso_token');
|
||||
},
|
||||
|
||||
getUser: function() {
|
||||
var raw = cookieGet('sso_user') || localStorage.getItem('sso_user');
|
||||
var raw = cookieGet('sso_user');
|
||||
try { return JSON.parse(raw); } catch(e) { return null; }
|
||||
},
|
||||
|
||||
|
||||
@@ -4,6 +4,10 @@ server {
|
||||
|
||||
root /usr/share/nginx/html;
|
||||
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
|
||||
# 대시보드 (로그인 포함)
|
||||
location = /dashboard {
|
||||
add_header Cache-Control "no-store, no-cache, must-revalidate";
|
||||
|
||||
@@ -127,8 +127,17 @@ async function loginForm(req, res, next) {
|
||||
return res.status(400).json({ detail: 'Missing username or password' });
|
||||
}
|
||||
|
||||
// Rate limiting (동일 로직: /login과 공유)
|
||||
const attemptKey = `login_attempts:${username}`;
|
||||
const attempts = parseInt(await redis.get(attemptKey)) || 0;
|
||||
if (attempts >= MAX_LOGIN_ATTEMPTS) {
|
||||
return res.status(429).json({ detail: '로그인 시도 횟수를 초과했습니다. 5분 후 다시 시도하세요' });
|
||||
}
|
||||
|
||||
const user = await userModel.findByUsername(username);
|
||||
if (!user) {
|
||||
await redis.incr(attemptKey);
|
||||
await redis.expire(attemptKey, LOGIN_LOCKOUT_SECONDS);
|
||||
return res.status(401).json({ detail: 'Incorrect username or password' });
|
||||
}
|
||||
|
||||
@@ -139,9 +148,14 @@ async function loginForm(req, res, next) {
|
||||
|
||||
const valid = await userModel.verifyPassword(password, user.password_hash);
|
||||
if (!valid) {
|
||||
await redis.incr(attemptKey);
|
||||
await redis.expire(attemptKey, LOGIN_LOCKOUT_SECONDS);
|
||||
return res.status(401).json({ detail: 'Incorrect username or password' });
|
||||
}
|
||||
|
||||
// 로그인 성공 시 시도 횟수 초기화
|
||||
await redis.del(attemptKey);
|
||||
|
||||
await userModel.updateLastLogin(user.user_id);
|
||||
|
||||
const payload = createTokenPayload(user);
|
||||
|
||||
@@ -19,7 +19,7 @@ const helmetOptions = {
|
||||
directives: {
|
||||
defaultSrc: ["'self'"],
|
||||
styleSrc: ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com"],
|
||||
scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"], // 개발 중 unsafe-eval 허용
|
||||
scriptSrc: ["'self'", "'unsafe-inline'"],
|
||||
imgSrc: ["'self'", "data:", "https:", "blob:"],
|
||||
fontSrc: ["'self'", "https://fonts.gstatic.com"],
|
||||
connectSrc: ["'self'", "https://api.technicalkorea.com"],
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
if('serviceWorker' in navigator){navigator.serviceWorker.getRegistrations().then(function(r){r.forEach(function(reg){reg.unregister()});})}
|
||||
if('caches' in window){caches.keys().then(function(k){k.forEach(function(key){caches.delete(key)})})}
|
||||
</script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script>
|
||||
// SSO 토큰 확인
|
||||
var token = window.getSSOToken ? window.getSSOToken() : (localStorage.getItem('sso_token') || localStorage.getItem('token'));
|
||||
|
||||
@@ -193,7 +193,7 @@ if ('caches' in window) {
|
||||
var iconMap = { success: '\u2705', error: '\u274C', warning: '\u26A0\uFE0F', info: '\u2139\uFE0F' };
|
||||
var toast = document.createElement('div');
|
||||
toast.className = 'toast toast-' + type;
|
||||
toast.innerHTML = '<span class="toast-icon">' + (iconMap[type] || '\u2139\uFE0F') + '</span><span class="toast-message">' + message + '</span>';
|
||||
toast.innerHTML = '<span class="toast-icon">' + (iconMap[type] || '\u2139\uFE0F') + '</span><span class="toast-message">' + escapeHtml(message) + '</span>';
|
||||
container.appendChild(toast);
|
||||
|
||||
setTimeout(function() { toast.classList.add('show'); }, 10);
|
||||
|
||||
@@ -20,7 +20,7 @@ export function parseJwt(token) {
|
||||
*/
|
||||
export function getToken() {
|
||||
if (window.getSSOToken) return window.getSSOToken();
|
||||
return localStorage.getItem('sso_token');
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -28,12 +28,7 @@ export function getToken() {
|
||||
*/
|
||||
export function getUser() {
|
||||
if (window.getSSOUser) return window.getSSOUser();
|
||||
const raw = localStorage.getItem('sso_user');
|
||||
try {
|
||||
return raw ? JSON.parse(raw) : null;
|
||||
} catch(e) {
|
||||
return null;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -41,8 +36,7 @@ export function getUser() {
|
||||
* sso_token/sso_user 키로 저장합니다.
|
||||
*/
|
||||
export function saveAuthData(token, user) {
|
||||
localStorage.setItem('sso_token', token);
|
||||
localStorage.setItem('sso_user', JSON.stringify(user));
|
||||
// 쿠키 기반 인증 — localStorage 저장 불필요 (gateway에서 쿠키 설정)
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -50,9 +44,6 @@ export function saveAuthData(token, user) {
|
||||
*/
|
||||
export function clearAuthData() {
|
||||
if (window.clearSSOAuth) { window.clearSSOAuth(); return; }
|
||||
localStorage.removeItem('sso_token');
|
||||
localStorage.removeItem('sso_user');
|
||||
localStorage.removeItem('userPageAccess');
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -4,6 +4,10 @@ server {
|
||||
|
||||
client_max_body_size 50M;
|
||||
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
|
||||
root /usr/share/nginx/html;
|
||||
index index.html;
|
||||
|
||||
|
||||
@@ -191,7 +191,7 @@
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
|
||||
<script type="module">
|
||||
import '/js/api-config.js?v=3';
|
||||
|
||||
@@ -325,7 +325,7 @@
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script src="/js/department-management.js"></script>
|
||||
<script>initAuth();</script>
|
||||
</body>
|
||||
|
||||
@@ -315,7 +315,7 @@
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
|
||||
<script type="module">
|
||||
import '/js/api-config.js?v=3';
|
||||
|
||||
@@ -191,7 +191,7 @@
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
|
||||
<script type="module">
|
||||
import '/js/api-config.js?v=3';
|
||||
|
||||
@@ -330,7 +330,7 @@
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script type="module" src="/js/issue-category-manage.js"></script>
|
||||
<script>initAuth();</script>
|
||||
</body>
|
||||
|
||||
@@ -388,7 +388,7 @@
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script>
|
||||
let currentPage = 1;
|
||||
let totalPages = 1;
|
||||
|
||||
@@ -385,7 +385,7 @@
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script>
|
||||
let allProjects = [];
|
||||
let filteredProjects = [];
|
||||
|
||||
@@ -488,7 +488,7 @@
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script>
|
||||
let currentReportId = null;
|
||||
let allRepairs = [];
|
||||
|
||||
@@ -286,7 +286,7 @@
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script>
|
||||
let workTypes = [];
|
||||
let tasks = [];
|
||||
|
||||
@@ -432,7 +432,7 @@
|
||||
|
||||
<!-- 작업장 관리 모듈 (리팩토링된 구조) -->
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script src="/js/workplace-management/state.js?v=1"></script>
|
||||
<script src="/js/workplace-management/utils.js?v=1"></script>
|
||||
<script src="/js/workplace-management/api.js?v=1"></script>
|
||||
|
||||
@@ -329,7 +329,7 @@
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
|
||||
<script>
|
||||
// axios 설정
|
||||
|
||||
@@ -223,7 +223,7 @@
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
|
||||
<script>
|
||||
(function() {
|
||||
|
||||
@@ -71,7 +71,7 @@
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
|
||||
<script>
|
||||
// axios 기본 설정
|
||||
|
||||
@@ -475,7 +475,7 @@
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
|
||||
<script>
|
||||
// axios 기본 설정
|
||||
|
||||
@@ -266,7 +266,7 @@
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
|
||||
<script>
|
||||
// axios 설정
|
||||
|
||||
@@ -354,7 +354,7 @@
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script type="module" src="/js/vacation-allocation.js" defer></script>
|
||||
<script>initAuth();</script>
|
||||
</body>
|
||||
|
||||
@@ -124,7 +124,7 @@
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
|
||||
<script src="/js/vacation-common.js"></script>
|
||||
<script>
|
||||
|
||||
@@ -124,7 +124,7 @@
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
|
||||
<script src="/js/vacation-common.js"></script>
|
||||
<script>
|
||||
|
||||
@@ -206,7 +206,7 @@
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
|
||||
<script src="/js/vacation-common.js"></script>
|
||||
<script>
|
||||
|
||||
@@ -118,7 +118,7 @@
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
|
||||
<script src="/js/vacation-common.js"></script>
|
||||
<script>
|
||||
|
||||
@@ -277,7 +277,7 @@
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
|
||||
<script>
|
||||
(function() {
|
||||
|
||||
@@ -324,7 +324,7 @@
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script type="module" src="/js/modern-dashboard.js?v=10"></script>
|
||||
<script type="module" src="/js/group-leader-dashboard.js?v=1"></script>
|
||||
<script src="/js/workplace-status.js?v=3"></script>
|
||||
|
||||
@@ -210,7 +210,7 @@
|
||||
})();
|
||||
</script>
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script src="/js/daily-patrol.js?v=6"></script>
|
||||
<script>initAuth();</script>
|
||||
</body>
|
||||
|
||||
@@ -305,7 +305,7 @@
|
||||
})();
|
||||
</script>
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script src="/js/zone-detail.js?v=6"></script>
|
||||
<script>initAuth();</script>
|
||||
</body>
|
||||
|
||||
@@ -321,7 +321,7 @@
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script type="module" src="/js/my-profile.js"></script>
|
||||
<script>initAuth();</script>
|
||||
</body>
|
||||
|
||||
@@ -391,7 +391,7 @@
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script type="module" src="/js/change-password.js"></script>
|
||||
<script>initAuth();</script>
|
||||
</body>
|
||||
|
||||
@@ -278,7 +278,7 @@
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script type="module" src="/js/work-analysis.js?v=5"></script>
|
||||
|
||||
<script>
|
||||
|
||||
@@ -190,7 +190,7 @@
|
||||
|
||||
<!-- 공통 모듈 -->
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script src="/js/common/utils.js?v=1"></script>
|
||||
<script src="/js/common/base-state.js?v=1"></script>
|
||||
|
||||
|
||||
@@ -150,7 +150,7 @@
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script src="/js/common/utils.js?v=1"></script>
|
||||
<script src="/js/common/base-state.js?v=1"></script>
|
||||
<script src="/js/daily-work-report/state.js?v=2"></script>
|
||||
|
||||
@@ -844,7 +844,7 @@
|
||||
|
||||
<!-- Scripts -->
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<!-- 공통 모듈 -->
|
||||
<script src="/js/common/utils.js?v=2"></script>
|
||||
<script src="/js/common/base-state.js?v=2"></script>
|
||||
|
||||
@@ -297,7 +297,7 @@
|
||||
|
||||
<!-- 공통 모듈 -->
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script src="/js/common/utils.js?v=2"></script>
|
||||
<script src="/js/common/base-state.js?v=2"></script>
|
||||
|
||||
|
||||
@@ -561,7 +561,7 @@
|
||||
<div class="toast-container" id="toastContainer"></div>
|
||||
|
||||
<script src="/static/js/tkfb-core.js?v=20260313"></script>
|
||||
<script src="/js/api-base.js?v=3"></script>
|
||||
<script src="/js/api-base.js?v=20260313"></script>
|
||||
<script src="/js/common/utils.js?v=2"></script>
|
||||
<script src="/js/common/base-state.js?v=2"></script>
|
||||
<script src="/js/tbm/state.js?v=3"></script>
|
||||
|
||||
@@ -77,7 +77,7 @@ app.use((err, req, res, next) => {
|
||||
logger.error('API Error:', { error: err.message, path: req.path });
|
||||
res.status(statusCode).json({
|
||||
success: false,
|
||||
error: err.message || 'Internal Server Error'
|
||||
error: '서버 오류가 발생했습니다'
|
||||
});
|
||||
});
|
||||
|
||||
|
||||
@@ -38,11 +38,11 @@ if ('serviceWorker' in navigator) {
|
||||
* SSO 토큰 가져오기 (쿠키 우선, localStorage 폴백)
|
||||
*/
|
||||
window.getSSOToken = function() {
|
||||
return cookieGet('sso_token') || localStorage.getItem('sso_token');
|
||||
return cookieGet('sso_token');
|
||||
};
|
||||
|
||||
window.getSSOUser = function() {
|
||||
var raw = cookieGet('sso_user') || localStorage.getItem('sso_user');
|
||||
var raw = cookieGet('sso_user');
|
||||
try { return raw ? JSON.parse(raw) : null; } catch(e) { return null; }
|
||||
};
|
||||
|
||||
|
||||
@@ -232,11 +232,15 @@ function renderPhotos(d) {
|
||||
gallery.innerHTML = photos.map(photo => {
|
||||
const fullUrl = photo.startsWith('http') ? photo : `${baseUrl}${photo}`;
|
||||
return `
|
||||
<div class="photo-item" onclick="openPhotoModal('${fullUrl}')">
|
||||
<img src="${fullUrl}" alt="첨부 사진">
|
||||
<div class="photo-item" data-url="${escapeHtml(fullUrl)}">
|
||||
<img src="${escapeHtml(fullUrl)}" alt="첨부 사진">
|
||||
</div>
|
||||
`;
|
||||
}).join('');
|
||||
|
||||
gallery.querySelectorAll('.photo-item[data-url]').forEach(el => {
|
||||
el.addEventListener('click', () => openPhotoModal(el.dataset.url));
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -5,6 +5,10 @@ server {
|
||||
root /usr/share/nginx/html;
|
||||
index pages/safety/issue-report.html;
|
||||
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
|
||||
# 사진 업로드를 위한 body 크기 제한 (base64 인코딩 시 원본 대비 ~33% 증가)
|
||||
client_max_body_size 50m;
|
||||
|
||||
|
||||
@@ -472,6 +472,6 @@
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<script src="/js/issue-detail.js?v=1"></script>
|
||||
<script src="/js/issue-detail.js?v=20260313"></script>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -73,9 +73,11 @@ async def health_check():
|
||||
# 전역 예외 처리
|
||||
@app.exception_handler(Exception)
|
||||
async def global_exception_handler(request: Request, exc: Exception):
|
||||
import traceback
|
||||
traceback.print_exc()
|
||||
return JSONResponse(
|
||||
status_code=500,
|
||||
content={"detail": f"Internal server error: {str(exc)}"}
|
||||
content={"detail": "서버 오류가 발생했습니다"}
|
||||
)
|
||||
|
||||
if __name__ == "__main__":
|
||||
|
||||
@@ -129,7 +129,9 @@ def delete_file(filepath: str):
|
||||
try:
|
||||
if filepath and filepath.startswith("/uploads/"):
|
||||
filename = filepath.replace("/uploads/", "")
|
||||
full_path = os.path.join(UPLOAD_DIR, filename)
|
||||
full_path = os.path.normpath(os.path.join(UPLOAD_DIR, filename))
|
||||
if not full_path.startswith(os.path.normpath(UPLOAD_DIR)):
|
||||
raise ValueError("잘못된 파일 경로")
|
||||
if os.path.exists(full_path):
|
||||
os.remove(full_path)
|
||||
except Exception as e:
|
||||
|
||||
@@ -10,6 +10,7 @@
|
||||
<link rel="stylesheet" href="/static/css/tkqc-common.css?v=20260306">
|
||||
<link rel="stylesheet" href="/static/css/ai-assistant.css?v=20260307">
|
||||
<script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
|
||||
<script src="/static/js/lib/purify.min.js"></script>
|
||||
</head>
|
||||
<body>
|
||||
<!-- 로딩 스크린 -->
|
||||
@@ -273,13 +274,13 @@
|
||||
|
||||
<!-- 스크립트 -->
|
||||
<script src="/static/js/core/permissions.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260313"></script>
|
||||
<script src="/static/js/core/page-manager.js?v=20260308"></script>
|
||||
<script src="/static/js/api.js?v=20260308"></script>
|
||||
<script src="/static/js/core/auth-manager.js?v=20260313"></script>
|
||||
<script src="/static/js/utils/issue-helpers.js?v=20260308"></script>
|
||||
<script src="/static/js/utils/toast.js?v=20260308"></script>
|
||||
<script src="/static/js/components/mobile-bottom-nav.js?v=20260308"></script>
|
||||
<script src="/static/js/pages/ai-assistant.js?v=20260308"></script>
|
||||
<script src="/static/js/pages/ai-assistant.js?v=20260313"></script>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -108,7 +108,7 @@
|
||||
<!-- Scripts -->
|
||||
<script src="/static/js/date-utils.js?v=20260308"></script>
|
||||
<script src="/static/js/core/permissions.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260313"></script>
|
||||
<script src="/static/js/core/page-manager.js?v=20260308"></script>
|
||||
<script src="/static/js/api.js?v=20260308"></script>
|
||||
<script src="/static/js/core/auth-manager.js?v=20260313"></script>
|
||||
|
||||
@@ -198,7 +198,7 @@
|
||||
<!-- Scripts -->
|
||||
<script src="/static/js/date-utils.js?v=20260308"></script>
|
||||
<script src="/static/js/core/permissions.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260313"></script>
|
||||
<script src="/static/js/core/page-manager.js?v=20260308"></script>
|
||||
<script src="/static/js/api.js?v=20260308"></script>
|
||||
<script src="/static/js/core/auth-manager.js?v=20260313"></script>
|
||||
|
||||
@@ -551,7 +551,7 @@
|
||||
|
||||
<!-- 스크립트 -->
|
||||
<script src="/static/js/core/permissions.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260313"></script>
|
||||
<script src="/static/js/core/page-manager.js?v=20260308"></script>
|
||||
<script src="/static/js/api.js?v=20260308"></script>
|
||||
<script src="/static/js/core/auth-manager.js?v=20260313"></script>
|
||||
|
||||
@@ -370,7 +370,7 @@
|
||||
<!-- Scripts -->
|
||||
<script src="/static/js/date-utils.js?v=20260308"></script>
|
||||
<script src="/static/js/core/permissions.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260313"></script>
|
||||
<script src="/static/js/core/page-manager.js?v=20260308"></script>
|
||||
<script src="/static/js/api.js?v=20260308"></script>
|
||||
<script src="/static/js/core/auth-manager.js?v=20260313"></script>
|
||||
|
||||
@@ -20,6 +20,7 @@
|
||||
<link rel="stylesheet" href="/static/css/tkqc-common.css?v=20260213">
|
||||
<link rel="stylesheet" href="/static/css/issues-management.css?v=20260213">
|
||||
<script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
|
||||
<script src="/static/js/lib/purify.min.js"></script>
|
||||
</head>
|
||||
<body>
|
||||
<!-- 공통 헤더가 여기에 자동으로 삽입됩니다 -->
|
||||
@@ -339,7 +340,7 @@
|
||||
<!-- Scripts -->
|
||||
<script src="/static/js/date-utils.js?v=20260308"></script>
|
||||
<script src="/static/js/core/permissions.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260313"></script>
|
||||
<script src="/static/js/core/page-manager.js?v=20260308"></script>
|
||||
<script src="/static/js/api.js?v=20260308"></script>
|
||||
<script src="/static/js/core/auth-manager.js?v=20260313"></script>
|
||||
@@ -347,6 +348,6 @@
|
||||
<script src="/static/js/utils/photo-modal.js?v=20260308"></script>
|
||||
<script src="/static/js/utils/toast.js?v=20260308"></script>
|
||||
<script src="/static/js/components/mobile-bottom-nav.js?v=20260308"></script>
|
||||
<script src="/static/js/pages/issues-management.js?v=20260308"></script>
|
||||
<script src="/static/js/pages/issues-management.js?v=20260313"></script>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -4,6 +4,10 @@ server {
|
||||
|
||||
client_max_body_size 10M;
|
||||
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
|
||||
root /usr/share/nginx/html;
|
||||
index issues-dashboard.html;
|
||||
|
||||
|
||||
@@ -183,7 +183,7 @@
|
||||
|
||||
<!-- JavaScript -->
|
||||
<script src="/static/js/core/permissions.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260313"></script>
|
||||
<script src="/static/js/api.js?v=20260308"></script>
|
||||
<script src="/static/js/core/auth-manager.js?v=20260313"></script>
|
||||
|
||||
|
||||
@@ -70,7 +70,7 @@
|
||||
|
||||
<!-- JavaScript -->
|
||||
<script src="/static/js/core/permissions.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260313"></script>
|
||||
<script src="/static/js/api.js?v=20260308"></script>
|
||||
<script src="/static/js/core/auth-manager.js?v=20260313"></script>
|
||||
|
||||
|
||||
@@ -69,7 +69,7 @@
|
||||
|
||||
<!-- JavaScript -->
|
||||
<script src="/static/js/core/permissions.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260313"></script>
|
||||
<script src="/static/js/api.js?v=20260308"></script>
|
||||
<script src="/static/js/core/auth-manager.js?v=20260313"></script>
|
||||
|
||||
|
||||
@@ -171,7 +171,7 @@
|
||||
|
||||
<!-- JavaScript -->
|
||||
<script src="/static/js/core/permissions.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260313"></script>
|
||||
<script src="/static/js/api.js?v=20260308"></script>
|
||||
<script src="/static/js/core/auth-manager.js?v=20260313"></script>
|
||||
|
||||
|
||||
@@ -641,7 +641,8 @@ class CommonHeader {
|
||||
}`;
|
||||
|
||||
const icon = type === 'success' ? 'fa-check-circle' : 'fa-exclamation-circle';
|
||||
toast.innerHTML = `<i class="fas ${icon} mr-2"></i>${message}`;
|
||||
const _esc = s => { const d = document.createElement('div'); d.textContent = s; return d.innerHTML; };
|
||||
toast.innerHTML = `<i class="fas ${icon} mr-2"></i>${_esc(message)}`;
|
||||
|
||||
document.body.appendChild(toast);
|
||||
|
||||
|
||||
@@ -72,14 +72,14 @@ class AuthManager {
|
||||
* SSO 토큰 가져오기 (쿠키 우선, localStorage 폴백)
|
||||
*/
|
||||
_getToken() {
|
||||
return this._cookieGet('sso_token') || localStorage.getItem('sso_token');
|
||||
return this._cookieGet('sso_token');
|
||||
}
|
||||
|
||||
/**
|
||||
* SSO 사용자 정보 가져오기 (쿠키 우선, localStorage 폴백)
|
||||
*/
|
||||
_getUser() {
|
||||
const ssoUser = this._cookieGet('sso_user') || localStorage.getItem('sso_user');
|
||||
const ssoUser = this._cookieGet('sso_user');
|
||||
if (ssoUser && ssoUser !== 'undefined' && ssoUser !== 'null') {
|
||||
try { return JSON.parse(ssoUser); } catch(e) {}
|
||||
}
|
||||
|
||||
3
system3-nonconformance/web/static/js/lib/purify.min.js
vendored
Normal file
3
system3-nonconformance/web/static/js/lib/purify.min.js
vendored
Normal file
File diff suppressed because one or more lines are too long
@@ -196,7 +196,7 @@ function appendChatMessage(role, content, sources) {
|
||||
const contentDiv = document.createElement('div');
|
||||
if (role === 'ai' && typeof marked !== 'undefined') {
|
||||
contentDiv.className = 'text-sm prose prose-sm max-w-none';
|
||||
contentDiv.innerHTML = marked.parse(content);
|
||||
contentDiv.innerHTML = DOMPurify.sanitize(marked.parse(content));
|
||||
} else {
|
||||
contentDiv.className = 'text-sm whitespace-pre-line';
|
||||
contentDiv.textContent = content;
|
||||
|
||||
@@ -990,7 +990,7 @@ async function aiSuggestSolution() {
|
||||
const raw = data.suggestion || '';
|
||||
content.dataset.raw = raw;
|
||||
if (typeof marked !== 'undefined') {
|
||||
content.innerHTML = marked.parse(raw);
|
||||
content.innerHTML = DOMPurify.sanitize(marked.parse(raw));
|
||||
} else {
|
||||
content.textContent = raw;
|
||||
}
|
||||
@@ -1030,7 +1030,7 @@ async function aiSuggestSolutionInline(issueId) {
|
||||
const raw = data.suggestion || '';
|
||||
content.dataset.raw = raw;
|
||||
if (typeof marked !== 'undefined') {
|
||||
content.innerHTML = marked.parse(raw);
|
||||
content.innerHTML = DOMPurify.sanitize(marked.parse(raw));
|
||||
} else {
|
||||
content.textContent = raw;
|
||||
}
|
||||
|
||||
@@ -56,7 +56,7 @@ app.use((err, req, res, next) => {
|
||||
console.error('tkpurchase-api Error:', err.message);
|
||||
res.status(err.status || 500).json({
|
||||
success: false,
|
||||
error: err.message || 'Internal Server Error'
|
||||
error: '서버 오류가 발생했습니다'
|
||||
});
|
||||
});
|
||||
|
||||
|
||||
@@ -25,9 +25,6 @@ function extractToken(req) {
|
||||
if (authHeader && authHeader.startsWith('Bearer ')) {
|
||||
return authHeader.split(' ')[1];
|
||||
}
|
||||
if (req.cookies && req.cookies.sso_token) {
|
||||
return req.cookies.sso_token;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
|
||||
@@ -3,6 +3,10 @@ server {
|
||||
server_name _;
|
||||
charset utf-8;
|
||||
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
|
||||
root /usr/share/nginx/html;
|
||||
index index.html;
|
||||
|
||||
|
||||
@@ -70,7 +70,7 @@ app.use((err, req, res, next) => {
|
||||
console.error('tksafety-api Error:', err.message);
|
||||
res.status(err.status || 500).json({
|
||||
success: false,
|
||||
error: err.message || 'Internal Server Error'
|
||||
error: '서버 오류가 발생했습니다'
|
||||
});
|
||||
});
|
||||
|
||||
|
||||
@@ -25,9 +25,6 @@ function extractToken(req) {
|
||||
if (authHeader && authHeader.startsWith('Bearer ')) {
|
||||
return authHeader.split(' ')[1];
|
||||
}
|
||||
if (req.cookies && req.cookies.sso_token) {
|
||||
return req.cookies.sso_token;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
|
||||
@@ -2,6 +2,11 @@ server {
|
||||
listen 80;
|
||||
server_name _;
|
||||
charset utf-8;
|
||||
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
|
||||
root /usr/share/nginx/html;
|
||||
index index.html;
|
||||
|
||||
|
||||
@@ -246,6 +246,12 @@ const vacationController = {
|
||||
async getUserBalance(req, res) {
|
||||
try {
|
||||
const { userId } = req.params;
|
||||
const requestedId = parseInt(userId);
|
||||
const currentUserId = req.user.user_id || req.user.id;
|
||||
const role = (req.user.role || '').toLowerCase();
|
||||
if (requestedId !== currentUserId && !['admin', 'system'].includes(role)) {
|
||||
return res.status(403).json({ success: false, error: '접근 권한이 없습니다' });
|
||||
}
|
||||
const year = parseInt(req.query.year) || new Date().getFullYear();
|
||||
const balances = await vacationBalanceModel.getByUserAndYear(userId, year);
|
||||
const hireDate = await vacationBalanceModel.getUserHireDate(userId);
|
||||
|
||||
@@ -46,7 +46,7 @@ app.use((err, req, res, next) => {
|
||||
console.error('tksupport-api Error:', err.message);
|
||||
res.status(err.status || 500).json({
|
||||
success: false,
|
||||
error: err.message || 'Internal Server Error'
|
||||
error: '서버 오류가 발생했습니다'
|
||||
});
|
||||
});
|
||||
|
||||
|
||||
@@ -25,9 +25,6 @@ function extractToken(req) {
|
||||
if (authHeader && authHeader.startsWith('Bearer ')) {
|
||||
return authHeader.split(' ')[1];
|
||||
}
|
||||
if (req.cookies && req.cookies.sso_token) {
|
||||
return req.cookies.sso_token;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
|
||||
@@ -120,7 +120,7 @@
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tksupport-core.js?v=2"></script>
|
||||
<script src="/static/js/tksupport-core.js?v=20260313"></script>
|
||||
<script>
|
||||
let vacationTypes = [];
|
||||
|
||||
|
||||
@@ -2,6 +2,11 @@ server {
|
||||
listen 80;
|
||||
server_name _;
|
||||
charset utf-8;
|
||||
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
|
||||
root /usr/share/nginx/html;
|
||||
index index.html;
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ const API_BASE = '/api';
|
||||
/* ===== Token ===== */
|
||||
function _cookieGet(n) { const m = document.cookie.match(new RegExp('(?:^|; )' + n + '=([^;]*)')); return m ? decodeURIComponent(m[1]) : null; }
|
||||
function _cookieRemove(n) { let c = n + '=; path=/; max-age=0'; if (location.hostname.includes('technicalkorea.net')) c += '; domain=.technicalkorea.net; secure; samesite=lax'; document.cookie = c; }
|
||||
function getToken() { return _cookieGet('sso_token') || localStorage.getItem('sso_token'); }
|
||||
function getToken() { return _cookieGet('sso_token'); }
|
||||
function getLoginUrl() {
|
||||
const h = location.hostname;
|
||||
const t = Date.now();
|
||||
@@ -116,7 +116,6 @@ function initAuth() {
|
||||
const decoded = decodeToken(token);
|
||||
if (!decoded) { _safeRedirect(); return false; }
|
||||
sessionStorage.removeItem(_REDIRECT_KEY);
|
||||
if (!localStorage.getItem('sso_token')) localStorage.setItem('sso_token', token);
|
||||
currentUser = {
|
||||
id: decoded.user_id || decoded.id,
|
||||
username: decoded.username || decoded.sub,
|
||||
|
||||
@@ -192,7 +192,7 @@
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tksupport-core.js?v=2"></script>
|
||||
<script src="/static/js/tksupport-core.js?v=20260313"></script>
|
||||
<script>
|
||||
let reviewAction = '';
|
||||
let reviewRequestId = null;
|
||||
|
||||
@@ -81,7 +81,7 @@
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tksupport-core.js?v=2"></script>
|
||||
<script src="/static/js/tksupport-core.js?v=20260313"></script>
|
||||
<script>
|
||||
async function initRequestPage() {
|
||||
if (!initAuth()) return;
|
||||
|
||||
@@ -90,7 +90,7 @@
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<script src="/static/js/tksupport-core.js?v=2"></script>
|
||||
<script src="/static/js/tksupport-core.js?v=20260313"></script>
|
||||
<script>
|
||||
async function initStatusPage() {
|
||||
if (!initAuth()) return;
|
||||
|
||||
@@ -15,9 +15,6 @@ function extractToken(req) {
|
||||
if (authHeader && authHeader.startsWith('Bearer ')) {
|
||||
return authHeader.split(' ')[1];
|
||||
}
|
||||
if (req.cookies && req.cookies.sso_token) {
|
||||
return req.cookies.sso_token;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
|
||||
@@ -3,6 +3,10 @@ server {
|
||||
server_name _;
|
||||
charset utf-8;
|
||||
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
|
||||
root /usr/share/nginx/html;
|
||||
index index.html;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user