fix(security): CRITICAL 보안 이슈 13건 일괄 수정

- SEC-42: JWT algorithm HS256 명시 (sign 5곳, verify 3곳) - SEC-44: MariaDB/PhpMyAdmin 포트 127.0.0.1 바인딩 - SEC-29: escHtml = escapeHtml alias 추가 (XSS 방지) - SEC-39: Python Dockerfile 4개 non-root user + chown - SEC-43: deploy-remote.sh 삭제 (평문 비밀번호 포함) - SEC-11,12: SQL SET ? → 명시적 컬럼 whitelist + IN절 parameterized - QA-34: vacation approveRequest/cancelRequest 트랜잭션 래핑 - SEC-32,34: material_comparison.py 5개 엔드포인트 인증 + confirmed_by - SEC-33: files.py 17개 미인증 엔드포인트 인증 추가 - SEC-37: chatbot 프롬프트 인젝션 방어 (sanitize + XML 구분자) - SEC-38: fastapi-bridge 프록시 JWT 검증 + 캐시 키 user_id 포함 - SEC-58/QA-98: monthly-comparison API_BASE_URL 수정 + 401 처리 - SEC-61: monthlyComparisonModel SELECT FOR UPDATE 추가 - SEC-63: proxyInputController 에러 메시지 노출 제거 - QA-103: pageAccessRoutes error→message 통일 - SEC-62: tbm-create onclick 인젝션 → data-attribute event delegation - QA-99: tbm-mobile/create 캐시 버스팅 갱신 - QA-100,101: ESC 키 리스너 cleanup 추가 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 10:48:58 +09:00
parent 766cb90e8f
commit f09c86ee01
24 changed files with 215 additions and 305 deletions
--- a/system1-factory/fastapi-bridge/Dockerfile
+++ b/system1-factory/fastapi-bridge/Dockerfile
@@ -11,11 +11,15 @@ RUN apt-get update && apt-get install -y \
 COPY requirements.txt .
 RUN pip install --no-cache-dir -r requirements.txt

+# non-root user 생성
+RUN groupadd -r appuser && useradd -r -g appuser appuser
+
 # 애플리케이션 코드 복사
-COPY . .
+COPY --chown=appuser:appuser . .

 # 포트 노출
 EXPOSE 8000

 # 애플리케이션 실행
+USER appuser
 CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]
--- a/system1-factory/fastapi-bridge/config.py
+++ b/system1-factory/fastapi-bridge/config.py
@@ -8,6 +8,7 @@ class Settings:
    # 기본 설정
    FASTAPI_PORT: int = int(os.getenv("FASTAPI_PORT", "8000"))
    EXPRESS_API_URL: str = os.getenv("EXPRESS_API_URL", "http://system1-api:3005")
+    JWT_SECRET: str = os.getenv("JWT_SECRET", "")
    REDIS_URL: str = os.getenv("REDIS_URL", "redis://localhost:6379")
    NODE_ENV: str = os.getenv("NODE_ENV", "development")
    
--- a/system1-factory/fastapi-bridge/main.py
+++ b/system1-factory/fastapi-bridge/main.py
@@ -7,6 +7,7 @@ import logging
 from typing import Any, Dict

 import aiohttp
+import jwt as pyjwt
 import uvicorn
 from fastapi import FastAPI, Request, HTTPException
 from fastapi.middleware.cors import CORSMiddleware
@@ -206,22 +207,41 @@ async def analytics_dashboard():
        }
    }

+def _verify_proxy_token(request: Request) -> dict:
+    """프록시 요청의 JWT 토큰을 검증하여 사용자 정보 반환"""
+    auth_header = request.headers.get("authorization", "")
+    if not auth_header.startswith("Bearer "):
+        raise HTTPException(status_code=401, detail="Missing or invalid authorization")
+    token = auth_header.split(" ", 1)[1]
+    if not settings.JWT_SECRET:
+        logger.warning("JWT_SECRET이 설정되지 않아 토큰 검증을 건너뜁니다")
+        return {}
+    try:
+        payload = pyjwt.decode(token, settings.JWT_SECRET, algorithms=["HS256"])
+        return payload
+    except pyjwt.InvalidTokenError:
+        raise HTTPException(status_code=401, detail="Invalid token")
+
@app.api_route("/api/{path:path}", methods=["GET", "POST", "PUT", "DELETE", "PATCH"])
 async def proxy_to_express(path: str, request: Request) -> Dict[str, Any]:
    """Express.js API로 모든 요청을 프록시 (GET 요청은 캐싱 적용)"""
-    
+
+    # JWT 검증 (defense in depth — Express 백엔드도 자체 검증함)
+    user_payload = _verify_proxy_token(request)
+    user_id = user_payload.get("user_id", user_payload.get("id", "anon"))
+
    # Express.js API URL 구성
    target_url = f"{settings.EXPRESS_API_URL}/api/{path}"
-    
+
    # 요청 데이터 준비
    headers = dict(request.headers)
    headers.pop("host", None)  # host 헤더 제거
-    
+
    params = dict(request.query_params)
-    
-    # GET 요청에 대해서만 캐싱 적용
+
+    # GET 요청에 대해서만 캐싱 적용 (user_id 포함하여 사용자 간 캐시 격리)
    if request.method == "GET":
-        cache_key = cache_manager._generate_key("api", path, **params)
+        cache_key = cache_manager._generate_key("api", path, _uid=str(user_id), **params)
        cached_result = await cache_manager.get(cache_key)
        
        if cached_result is not None:
--- a/system1-factory/fastapi-bridge/requirements.txt
+++ b/system1-factory/fastapi-bridge/requirements.txt
@@ -3,4 +3,5 @@ uvicorn[standard]==0.24.0
 aiohttp==3.9.1
 python-multipart==0.0.6
 redis==5.0.1
-python-dotenv==1.0.0
+python-dotenv==1.0.0
+PyJWT==2.8.0