fix(security): 전체 서비스 보안 점검 — XSS·인가·토큰·헤더·에러마스킹 일괄 수정

Phase 1 CRITICAL XSS: - marked.parse() → DOMPurify.sanitize() (system3 ai-assistant, issues-management) - toast innerHTML에 escapeHtml 적용 (system1 api-base, system3 common-header) - onclick 핸들러 → data 속성 + addEventListener (system2 issue-detail) Phase 2 HIGH 인가: - getUserBalance 본인확인 추가 (tksupport vacationController) Phase 3 HIGH 토큰+CSP: - localStorage 토큰 저장 제거 — 쿠키 전용 (7개 서비스) - unsafe-eval CSP 제거 (system1 security.js) Phase 4 MEDIUM: - nginx 보안 헤더 추가 (8개 서비스) - 500 에러 메시지 마스킹 (5개 API) - path traversal 방지 (system3 file_service.py) - cookie fallback 데드코드 제거 (4개 auth.js) - /login/form rate limiting 추가 (sso-auth) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 19:50:00 +09:00
parent 86312c1af7
commit 12367dd3a1
81 changed files with 142 additions and 100 deletions
--- a/system3-nonconformance/api/main.py
+++ b/system3-nonconformance/api/main.py
@@ -73,9 +73,11 @@ async def health_check():
 # 전역 예외 처리
@app.exception_handler(Exception)
 async def global_exception_handler(request: Request, exc: Exception):
+    import traceback
+    traceback.print_exc()
    return JSONResponse(
        status_code=500,
-        content={"detail": f"Internal server error: {str(exc)}"}
+        content={"detail": "서버 오류가 발생했습니다"}
    )

 if __name__ == "__main__":
--- a/system3-nonconformance/api/services/file_service.py
+++ b/system3-nonconformance/api/services/file_service.py
@@ -129,7 +129,9 @@ def delete_file(filepath: str):
    try:
        if filepath and filepath.startswith("/uploads/"):
            filename = filepath.replace("/uploads/", "")
-            full_path = os.path.join(UPLOAD_DIR, filename)
+            full_path = os.path.normpath(os.path.join(UPLOAD_DIR, filename))
+            if not full_path.startswith(os.path.normpath(UPLOAD_DIR)):
+                raise ValueError("잘못된 파일 경로")
            if os.path.exists(full_path):
                os.remove(full_path)
    except Exception as e: