hyungi/tk-factory-services
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): 전체 서비스 보안 점검 — XSS·인가·토큰·헤더·에러마스킹 일괄 수정

Browse Source 
Phase 1 CRITICAL XSS:
- marked.parse() → DOMPurify.sanitize() (system3 ai-assistant, issues-management)
- toast innerHTML에 escapeHtml 적용 (system1 api-base, system3 common-header)
- onclick 핸들러 → data 속성 + addEventListener (system2 issue-detail)

Phase 2 HIGH 인가:
- getUserBalance 본인확인 추가 (tksupport vacationController)

Phase 3 HIGH 토큰+CSP:
- localStorage 토큰 저장 제거 — 쿠키 전용 (7개 서비스)
- unsafe-eval CSP 제거 (system1 security.js)

Phase 4 MEDIUM:
- nginx 보안 헤더 추가 (8개 서비스)
- 500 에러 메시지 마스킹 (5개 API)
- path traversal 방지 (system3 file_service.py)
- cookie fallback 데드코드 제거 (4개 auth.js)
- /login/form rate limiting 추가 (sso-auth)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Hyungi Ahn
2026-03-13 19:50:00 +09:00
parent 86312c1af7
commit 12367dd3a1
81 changed files with 142 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
system3-nonconformance/web/issues-management.html
View File

@@ -20,6 +20,7 @@
<link rel="stylesheet" href="/static/css/tkqc-common.css?v=20260213">
<link rel="stylesheet" href="/static/css/issues-management.css?v=20260213">
<script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
<script src="/static/js/lib/purify.min.js"></script>
</head>
<body>
<!-- 공통 헤더가 여기에 자동으로 삽입됩니다 -->
@@ -339,7 +340,7 @@
<!-- Scripts -->
<script src="/static/js/date-utils.js?v=20260308"></script>
<script src="/static/js/core/permissions.js?v=20260308"></script>
<script src="/static/js/components/common-header.js?v=20260308"></script>
<script src="/static/js/components/common-header.js?v=20260313"></script>
<script src="/static/js/core/page-manager.js?v=20260308"></script>
<script src="/static/js/api.js?v=20260308"></script>
<script src="/static/js/core/auth-manager.js?v=20260313"></script>
@@ -347,6 +348,6 @@
<script src="/static/js/utils/photo-modal.js?v=20260308"></script>
<script src="/static/js/utils/toast.js?v=20260308"></script>
<script src="/static/js/components/mobile-bottom-nav.js?v=20260308"></script>
<script src="/static/js/pages/issues-management.js?v=20260308"></script>
<script src="/static/js/pages/issues-management.js?v=20260313"></script>
</body>
</html>