fix(security): 전체 서비스 보안 점검 — XSS·인가·토큰·헤더·에러마스킹 일괄 수정

Phase 1 CRITICAL XSS: - marked.parse() → DOMPurify.sanitize() (system3 ai-assistant, issues-management) - toast innerHTML에 escapeHtml 적용 (system1 api-base, system3 common-header) - onclick 핸들러 → data 속성 + addEventListener (system2 issue-detail) Phase 2 HIGH 인가: - getUserBalance 본인확인 추가 (tksupport vacationController) Phase 3 HIGH 토큰+CSP: - localStorage 토큰 저장 제거 — 쿠키 전용 (7개 서비스) - unsafe-eval CSP 제거 (system1 security.js) Phase 4 MEDIUM: - nginx 보안 헤더 추가 (8개 서비스) - 500 에러 메시지 마스킹 (5개 API) - path traversal 방지 (system3 file_service.py) - cookie fallback 데드코드 제거 (4개 auth.js) - /login/form rate limiting 추가 (sso-auth) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 19:50:00 +09:00
parent 86312c1af7
commit 12367dd3a1
81 changed files with 142 additions and 100 deletions
--- a/system2-report/api/index.js
+++ b/system2-report/api/index.js
@@ -77,7 +77,7 @@ app.use((err, req, res, next) => {
  logger.error('API Error:', { error: err.message, path: req.path });
  res.status(statusCode).json({
    success: false,
-    error: err.message || 'Internal Server Error'
+    error: '서버 오류가 발생했습니다'
  });
 });

--- a/system2-report/web/js/api-base.js
+++ b/system2-report/web/js/api-base.js
@@ -38,11 +38,11 @@ if ('serviceWorker' in navigator) {
   * SSO 토큰 가져오기 (쿠키 우선, localStorage 폴백)
   */
  window.getSSOToken = function() {
-    return cookieGet('sso_token') || localStorage.getItem('sso_token');
+    return cookieGet('sso_token');
  };

  window.getSSOUser = function() {
-    var raw = cookieGet('sso_user') || localStorage.getItem('sso_user');
+    var raw = cookieGet('sso_user');
    try { return raw ? JSON.parse(raw) : null; } catch(e) { return null; }
  };

--- a/system2-report/web/js/issue-detail.js
+++ b/system2-report/web/js/issue-detail.js
@@ -232,11 +232,15 @@ function renderPhotos(d) {
  gallery.innerHTML = photos.map(photo => {
    const fullUrl = photo.startsWith('http') ? photo : `${baseUrl}${photo}`;
    return `
-      <div class="photo-item" onclick="openPhotoModal('${fullUrl}')">
-        <img src="${fullUrl}" alt="첨부 사진">
+      <div class="photo-item" data-url="${escapeHtml(fullUrl)}">
+        <img src="${escapeHtml(fullUrl)}" alt="첨부 사진">
      </div>
    `;
  }).join('');
+
+  gallery.querySelectorAll('.photo-item[data-url]').forEach(el => {
+    el.addEventListener('click', () => openPhotoModal(el.dataset.url));
+  });
 }

 /**
--- a/system2-report/web/nginx.conf
+++ b/system2-report/web/nginx.conf
@@ -5,6 +5,10 @@ server {
    root /usr/share/nginx/html;
    index pages/safety/issue-report.html;

+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
    # 사진 업로드를 위한 body 크기 제한 (base64 인코딩 시 원본 대비 ~33% 증가)
    client_max_body_size 50m;

--- a/system2-report/web/pages/safety/issue-detail.html
+++ b/system2-report/web/pages/safety/issue-detail.html
@@ -472,6 +472,6 @@
        </div>
    </div>

-    <script src="/js/issue-detail.js?v=1"></script>
+    <script src="/js/issue-detail.js?v=20260313"></script>
 </body>
 </html>