fix(security): 전체 서비스 보안 점검 — XSS·인가·토큰·헤더·에러마스킹 일괄 수정

Phase 1 CRITICAL XSS: - marked.parse() → DOMPurify.sanitize() (system3 ai-assistant, issues-management) - toast innerHTML에 escapeHtml 적용 (system1 api-base, system3 common-header) - onclick 핸들러 → data 속성 + addEventListener (system2 issue-detail) Phase 2 HIGH 인가: - getUserBalance 본인확인 추가 (tksupport vacationController) Phase 3 HIGH 토큰+CSP: - localStorage 토큰 저장 제거 — 쿠키 전용 (7개 서비스) - unsafe-eval CSP 제거 (system1 security.js) Phase 4 MEDIUM: - nginx 보안 헤더 추가 (8개 서비스) - 500 에러 메시지 마스킹 (5개 API) - path traversal 방지 (system3 file_service.py) - cookie fallback 데드코드 제거 (4개 auth.js) - /login/form rate limiting 추가 (sso-auth) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 19:50:00 +09:00
parent 86312c1af7
commit 12367dd3a1
81 changed files with 142 additions and 100 deletions
--- a/gateway/html/dashboard.html
+++ b/gateway/html/dashboard.html
@@ -773,10 +773,6 @@
                ssoCookie.set('sso_user', JSON.stringify(data.user), 7);
                if (data.refresh_token) ssoCookie.set('sso_refresh_token', data.refresh_token, 30);

-                localStorage.setItem('sso_token', data.access_token);
-                localStorage.setItem('sso_user', JSON.stringify(data.user));
-                if (data.refresh_token) localStorage.setItem('sso_refresh_token', data.refresh_token);
-
                var redirect = new URLSearchParams(location.search).get('redirect');
                if (redirect && isSafeRedirect(redirect)) {
                    window.location.href = redirect;
--- a/gateway/html/shared/nav-header.js
+++ b/gateway/html/shared/nav-header.js
@@ -31,11 +31,11 @@
   */
  window.SSOAuth = {
    getToken: function() {
-      return cookieGet('sso_token') || localStorage.getItem('sso_token');
+      return cookieGet('sso_token');
    },

    getUser: function() {
-      var raw = cookieGet('sso_user') || localStorage.getItem('sso_user');
+      var raw = cookieGet('sso_user');
      try { return JSON.parse(raw); } catch(e) { return null; }
    },

--- a/gateway/nginx.conf
+++ b/gateway/nginx.conf
@@ -4,6 +4,10 @@ server {

    root /usr/share/nginx/html;

+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
    # 대시보드 (로그인 포함)
    location = /dashboard {
        add_header Cache-Control "no-store, no-cache, must-revalidate";