fix(security): 전체 서비스 보안 점검 — XSS·인가·토큰·헤더·에러마스킹 일괄 수정

Phase 1 CRITICAL XSS: - marked.parse() → DOMPurify.sanitize() (system3 ai-assistant, issues-management) - toast innerHTML에 escapeHtml 적용 (system1 api-base, system3 common-header) - onclick 핸들러 → data 속성 + addEventListener (system2 issue-detail) Phase 2 HIGH 인가: - getUserBalance 본인확인 추가 (tksupport vacationController) Phase 3 HIGH 토큰+CSP: - localStorage 토큰 저장 제거 — 쿠키 전용 (7개 서비스) - unsafe-eval CSP 제거 (system1 security.js) Phase 4 MEDIUM: - nginx 보안 헤더 추가 (8개 서비스) - 500 에러 메시지 마스킹 (5개 API) - path traversal 방지 (system3 file_service.py) - cookie fallback 데드코드 제거 (4개 auth.js) - /login/form rate limiting 추가 (sso-auth) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 19:50:00 +09:00
parent 86312c1af7
commit 12367dd3a1
81 changed files with 142 additions and 100 deletions
--- a/tksupport/api/controllers/vacationController.js
+++ b/tksupport/api/controllers/vacationController.js
@@ -246,6 +246,12 @@ const vacationController = {
  async getUserBalance(req, res) {
    try {
      const { userId } = req.params;
+      const requestedId = parseInt(userId);
+      const currentUserId = req.user.user_id || req.user.id;
+      const role = (req.user.role || '').toLowerCase();
+      if (requestedId !== currentUserId && !['admin', 'system'].includes(role)) {
+        return res.status(403).json({ success: false, error: '접근 권한이 없습니다' });
+      }
      const year = parseInt(req.query.year) || new Date().getFullYear();
      const balances = await vacationBalanceModel.getByUserAndYear(userId, year);
      const hireDate = await vacationBalanceModel.getUserHireDate(userId);
--- a/tksupport/api/index.js
+++ b/tksupport/api/index.js
@@ -46,7 +46,7 @@ app.use((err, req, res, next) => {
  console.error('tksupport-api Error:', err.message);
  res.status(err.status || 500).json({
    success: false,
-    error: err.message || 'Internal Server Error'
+    error: '서버 오류가 발생했습니다'
  });
 });

--- a/tksupport/api/middleware/auth.js
+++ b/tksupport/api/middleware/auth.js
@@ -25,9 +25,6 @@ function extractToken(req) {
  if (authHeader && authHeader.startsWith('Bearer ')) {
    return authHeader.split(' ')[1];
  }
-  if (req.cookies && req.cookies.sso_token) {
-    return req.cookies.sso_token;
-  }
  return null;
 }

--- a/tksupport/web/index.html
+++ b/tksupport/web/index.html
@@ -120,7 +120,7 @@
        </div>
    </div>

-    <script src="/static/js/tksupport-core.js?v=2"></script>
+    <script src="/static/js/tksupport-core.js?v=20260313"></script>
    <script>
    let vacationTypes = [];

--- a/tksupport/web/nginx.conf
+++ b/tksupport/web/nginx.conf
@@ -2,6 +2,11 @@ server {
    listen 80;
    server_name _;
    charset utf-8;
+
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
    root /usr/share/nginx/html;
    index index.html;

--- a/tksupport/web/static/js/tksupport-core.js
+++ b/tksupport/web/static/js/tksupport-core.js
@@ -12,7 +12,7 @@ const API_BASE = '/api';
 /* ===== Token ===== */
 function _cookieGet(n) { const m = document.cookie.match(new RegExp('(?:^|; )' + n + '=([^;]*)')); return m ? decodeURIComponent(m[1]) : null; }
 function _cookieRemove(n) { let c = n + '=; path=/; max-age=0'; if (location.hostname.includes('technicalkorea.net')) c += '; domain=.technicalkorea.net; secure; samesite=lax'; document.cookie = c; }
-function getToken() { return _cookieGet('sso_token') || localStorage.getItem('sso_token'); }
+function getToken() { return _cookieGet('sso_token'); }
 function getLoginUrl() {
    const h = location.hostname;
    const t = Date.now();
@@ -116,7 +116,6 @@ function initAuth() {
    const decoded = decodeToken(token);
    if (!decoded) { _safeRedirect(); return false; }
    sessionStorage.removeItem(_REDIRECT_KEY);
-    if (!localStorage.getItem('sso_token')) localStorage.setItem('sso_token', token);
    currentUser = {
        id: decoded.user_id || decoded.id,
        username: decoded.username || decoded.sub,
--- a/tksupport/web/vacation-approval.html
+++ b/tksupport/web/vacation-approval.html
@@ -192,7 +192,7 @@
        </div>
    </div>

-    <script src="/static/js/tksupport-core.js?v=2"></script>
+    <script src="/static/js/tksupport-core.js?v=20260313"></script>
    <script>
    let reviewAction = '';
    let reviewRequestId = null;
--- a/tksupport/web/vacation-request.html
+++ b/tksupport/web/vacation-request.html
@@ -81,7 +81,7 @@
        </div>
    </div>

-    <script src="/static/js/tksupport-core.js?v=2"></script>
+    <script src="/static/js/tksupport-core.js?v=20260313"></script>
    <script>
    async function initRequestPage() {
        if (!initAuth()) return;
--- a/tksupport/web/vacation-status.html
+++ b/tksupport/web/vacation-status.html
@@ -90,7 +90,7 @@
        </div>
    </div>

-    <script src="/static/js/tksupport-core.js?v=2"></script>
+    <script src="/static/js/tksupport-core.js?v=20260313"></script>
    <script>
    async function initStatusPage() {
        if (!initAuth()) return;