fix(security): 전체 서비스 보안 점검 — XSS·인가·토큰·헤더·에러마스킹 일괄 수정
Phase 1 CRITICAL XSS: - marked.parse() → DOMPurify.sanitize() (system3 ai-assistant, issues-management) - toast innerHTML에 escapeHtml 적용 (system1 api-base, system3 common-header) - onclick 핸들러 → data 속성 + addEventListener (system2 issue-detail) Phase 2 HIGH 인가: - getUserBalance 본인확인 추가 (tksupport vacationController) Phase 3 HIGH 토큰+CSP: - localStorage 토큰 저장 제거 — 쿠키 전용 (7개 서비스) - unsafe-eval CSP 제거 (system1 security.js) Phase 4 MEDIUM: - nginx 보안 헤더 추가 (8개 서비스) - 500 에러 메시지 마스킹 (5개 API) - path traversal 방지 (system3 file_service.py) - cookie fallback 데드코드 제거 (4개 auth.js) - /login/form rate limiting 추가 (sso-auth) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Hyungi Ahn
@@ -73,9 +73,11 @@ async def health_check():
|
||||
# 전역 예외 처리
|
||||
@app.exception_handler(Exception)
|
||||
async def global_exception_handler(request: Request, exc: Exception):
|
||||
import traceback
|
||||
traceback.print_exc()
|
||||
return JSONResponse(
|
||||
status_code=500,
|
||||
content={"detail": f"Internal server error: {str(exc)}"}
|
||||
content={"detail": "서버 오류가 발생했습니다"}
|
||||
)
|
||||
|
||||
if __name__ == "__main__":
|
||||
|
||||
@@ -129,7 +129,9 @@ def delete_file(filepath: str):
|
||||
try:
|
||||
if filepath and filepath.startswith("/uploads/"):
|
||||
filename = filepath.replace("/uploads/", "")
|
||||
full_path = os.path.join(UPLOAD_DIR, filename)
|
||||
full_path = os.path.normpath(os.path.join(UPLOAD_DIR, filename))
|
||||
if not full_path.startswith(os.path.normpath(UPLOAD_DIR)):
|
||||
raise ValueError("잘못된 파일 경로")
|
||||
if os.path.exists(full_path):
|
||||
os.remove(full_path)
|
||||
except Exception as e:
|
||||
|
||||
@@ -10,6 +10,7 @@
|
||||
<link rel="stylesheet" href="/static/css/tkqc-common.css?v=20260306">
|
||||
<link rel="stylesheet" href="/static/css/ai-assistant.css?v=20260307">
|
||||
<script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
|
||||
<script src="/static/js/lib/purify.min.js"></script>
|
||||
</head>
|
||||
<body>
|
||||
<!-- 로딩 스크린 -->
|
||||
@@ -273,13 +274,13 @@
|
||||
|
||||
<!-- 스크립트 -->
|
||||
<script src="/static/js/core/permissions.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260313"></script>
|
||||
<script src="/static/js/core/page-manager.js?v=20260308"></script>
|
||||
<script src="/static/js/api.js?v=20260308"></script>
|
||||
<script src="/static/js/core/auth-manager.js?v=20260313"></script>
|
||||
<script src="/static/js/utils/issue-helpers.js?v=20260308"></script>
|
||||
<script src="/static/js/utils/toast.js?v=20260308"></script>
|
||||
<script src="/static/js/components/mobile-bottom-nav.js?v=20260308"></script>
|
||||
<script src="/static/js/pages/ai-assistant.js?v=20260308"></script>
|
||||
<script src="/static/js/pages/ai-assistant.js?v=20260313"></script>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -108,7 +108,7 @@
|
||||
<!-- Scripts -->
|
||||
<script src="/static/js/date-utils.js?v=20260308"></script>
|
||||
<script src="/static/js/core/permissions.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260313"></script>
|
||||
<script src="/static/js/core/page-manager.js?v=20260308"></script>
|
||||
<script src="/static/js/api.js?v=20260308"></script>
|
||||
<script src="/static/js/core/auth-manager.js?v=20260313"></script>
|
||||
|
||||
@@ -198,7 +198,7 @@
|
||||
<!-- Scripts -->
|
||||
<script src="/static/js/date-utils.js?v=20260308"></script>
|
||||
<script src="/static/js/core/permissions.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260313"></script>
|
||||
<script src="/static/js/core/page-manager.js?v=20260308"></script>
|
||||
<script src="/static/js/api.js?v=20260308"></script>
|
||||
<script src="/static/js/core/auth-manager.js?v=20260313"></script>
|
||||
|
||||
@@ -551,7 +551,7 @@
|
||||
|
||||
<!-- 스크립트 -->
|
||||
<script src="/static/js/core/permissions.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260313"></script>
|
||||
<script src="/static/js/core/page-manager.js?v=20260308"></script>
|
||||
<script src="/static/js/api.js?v=20260308"></script>
|
||||
<script src="/static/js/core/auth-manager.js?v=20260313"></script>
|
||||
|
||||
@@ -370,7 +370,7 @@
|
||||
<!-- Scripts -->
|
||||
<script src="/static/js/date-utils.js?v=20260308"></script>
|
||||
<script src="/static/js/core/permissions.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260313"></script>
|
||||
<script src="/static/js/core/page-manager.js?v=20260308"></script>
|
||||
<script src="/static/js/api.js?v=20260308"></script>
|
||||
<script src="/static/js/core/auth-manager.js?v=20260313"></script>
|
||||
|
||||
@@ -20,6 +20,7 @@
|
||||
<link rel="stylesheet" href="/static/css/tkqc-common.css?v=20260213">
|
||||
<link rel="stylesheet" href="/static/css/issues-management.css?v=20260213">
|
||||
<script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
|
||||
<script src="/static/js/lib/purify.min.js"></script>
|
||||
</head>
|
||||
<body>
|
||||
<!-- 공통 헤더가 여기에 자동으로 삽입됩니다 -->
|
||||
@@ -339,7 +340,7 @@
|
||||
<!-- Scripts -->
|
||||
<script src="/static/js/date-utils.js?v=20260308"></script>
|
||||
<script src="/static/js/core/permissions.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260313"></script>
|
||||
<script src="/static/js/core/page-manager.js?v=20260308"></script>
|
||||
<script src="/static/js/api.js?v=20260308"></script>
|
||||
<script src="/static/js/core/auth-manager.js?v=20260313"></script>
|
||||
@@ -347,6 +348,6 @@
|
||||
<script src="/static/js/utils/photo-modal.js?v=20260308"></script>
|
||||
<script src="/static/js/utils/toast.js?v=20260308"></script>
|
||||
<script src="/static/js/components/mobile-bottom-nav.js?v=20260308"></script>
|
||||
<script src="/static/js/pages/issues-management.js?v=20260308"></script>
|
||||
<script src="/static/js/pages/issues-management.js?v=20260313"></script>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -4,6 +4,10 @@ server {
|
||||
|
||||
client_max_body_size 10M;
|
||||
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
|
||||
root /usr/share/nginx/html;
|
||||
index issues-dashboard.html;
|
||||
|
||||
|
||||
@@ -183,7 +183,7 @@
|
||||
|
||||
<!-- JavaScript -->
|
||||
<script src="/static/js/core/permissions.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260313"></script>
|
||||
<script src="/static/js/api.js?v=20260308"></script>
|
||||
<script src="/static/js/core/auth-manager.js?v=20260313"></script>
|
||||
|
||||
|
||||
@@ -70,7 +70,7 @@
|
||||
|
||||
<!-- JavaScript -->
|
||||
<script src="/static/js/core/permissions.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260313"></script>
|
||||
<script src="/static/js/api.js?v=20260308"></script>
|
||||
<script src="/static/js/core/auth-manager.js?v=20260313"></script>
|
||||
|
||||
|
||||
@@ -69,7 +69,7 @@
|
||||
|
||||
<!-- JavaScript -->
|
||||
<script src="/static/js/core/permissions.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260313"></script>
|
||||
<script src="/static/js/api.js?v=20260308"></script>
|
||||
<script src="/static/js/core/auth-manager.js?v=20260313"></script>
|
||||
|
||||
|
||||
@@ -171,7 +171,7 @@
|
||||
|
||||
<!-- JavaScript -->
|
||||
<script src="/static/js/core/permissions.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260308"></script>
|
||||
<script src="/static/js/components/common-header.js?v=20260313"></script>
|
||||
<script src="/static/js/api.js?v=20260308"></script>
|
||||
<script src="/static/js/core/auth-manager.js?v=20260313"></script>
|
||||
|
||||
|
||||
@@ -641,7 +641,8 @@ class CommonHeader {
|
||||
}`;
|
||||
|
||||
const icon = type === 'success' ? 'fa-check-circle' : 'fa-exclamation-circle';
|
||||
toast.innerHTML = `<i class="fas ${icon} mr-2"></i>${message}`;
|
||||
const _esc = s => { const d = document.createElement('div'); d.textContent = s; return d.innerHTML; };
|
||||
toast.innerHTML = `<i class="fas ${icon} mr-2"></i>${_esc(message)}`;
|
||||
|
||||
document.body.appendChild(toast);
|
||||
|
||||
|
||||
@@ -72,14 +72,14 @@ class AuthManager {
|
||||
* SSO 토큰 가져오기 (쿠키 우선, localStorage 폴백)
|
||||
*/
|
||||
_getToken() {
|
||||
return this._cookieGet('sso_token') || localStorage.getItem('sso_token');
|
||||
return this._cookieGet('sso_token');
|
||||
}
|
||||
|
||||
/**
|
||||
* SSO 사용자 정보 가져오기 (쿠키 우선, localStorage 폴백)
|
||||
*/
|
||||
_getUser() {
|
||||
const ssoUser = this._cookieGet('sso_user') || localStorage.getItem('sso_user');
|
||||
const ssoUser = this._cookieGet('sso_user');
|
||||
if (ssoUser && ssoUser !== 'undefined' && ssoUser !== 'null') {
|
||||
try { return JSON.parse(ssoUser); } catch(e) {}
|
||||
}
|
||||
|
||||
3
system3-nonconformance/web/static/js/lib/purify.min.js
vendored
Normal file
3
system3-nonconformance/web/static/js/lib/purify.min.js
vendored
Normal file
File diff suppressed because one or more lines are too long
@@ -196,7 +196,7 @@ function appendChatMessage(role, content, sources) {
|
||||
const contentDiv = document.createElement('div');
|
||||
if (role === 'ai' && typeof marked !== 'undefined') {
|
||||
contentDiv.className = 'text-sm prose prose-sm max-w-none';
|
||||
contentDiv.innerHTML = marked.parse(content);
|
||||
contentDiv.innerHTML = DOMPurify.sanitize(marked.parse(content));
|
||||
} else {
|
||||
contentDiv.className = 'text-sm whitespace-pre-line';
|
||||
contentDiv.textContent = content;
|
||||
|
||||
@@ -990,7 +990,7 @@ async function aiSuggestSolution() {
|
||||
const raw = data.suggestion || '';
|
||||
content.dataset.raw = raw;
|
||||
if (typeof marked !== 'undefined') {
|
||||
content.innerHTML = marked.parse(raw);
|
||||
content.innerHTML = DOMPurify.sanitize(marked.parse(raw));
|
||||
} else {
|
||||
content.textContent = raw;
|
||||
}
|
||||
@@ -1030,7 +1030,7 @@ async function aiSuggestSolutionInline(issueId) {
|
||||
const raw = data.suggestion || '';
|
||||
content.dataset.raw = raw;
|
||||
if (typeof marked !== 'undefined') {
|
||||
content.innerHTML = marked.parse(raw);
|
||||
content.innerHTML = DOMPurify.sanitize(marked.parse(raw));
|
||||
} else {
|
||||
content.textContent = raw;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user