fix(security): CRITICAL 보안 이슈 13건 일괄 수정

- SEC-42: JWT algorithm HS256 명시 (sign 5곳, verify 3곳) - SEC-44: MariaDB/PhpMyAdmin 포트 127.0.0.1 바인딩 - SEC-29: escHtml = escapeHtml alias 추가 (XSS 방지) - SEC-39: Python Dockerfile 4개 non-root user + chown - SEC-43: deploy-remote.sh 삭제 (평문 비밀번호 포함) - SEC-11,12: SQL SET ? → 명시적 컬럼 whitelist + IN절 parameterized - QA-34: vacation approveRequest/cancelRequest 트랜잭션 래핑 - SEC-32,34: material_comparison.py 5개 엔드포인트 인증 + confirmed_by - SEC-33: files.py 17개 미인증 엔드포인트 인증 추가 - SEC-37: chatbot 프롬프트 인젝션 방어 (sanitize + XML 구분자) - SEC-38: fastapi-bridge 프록시 JWT 검증 + 캐시 키 user_id 포함 - SEC-58/QA-98: monthly-comparison API_BASE_URL 수정 + 401 처리 - SEC-61: monthlyComparisonModel SELECT FOR UPDATE 추가 - SEC-63: proxyInputController 에러 메시지 노출 제거 - QA-103: pageAccessRoutes error→message 통일 - SEC-62: tbm-create onclick 인젝션 → data-attribute event delegation - QA-99: tbm-mobile/create 캐시 버스팅 갱신 - QA-100,101: ESC 키 리스너 cleanup 추가 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 10:48:58 +09:00
parent 766cb90e8f
commit f09c86ee01
24 changed files with 215 additions and 305 deletions
--- a/tkeg/api/app/routers/material_comparison.py
+++ b/tkeg/api/app/routers/material_comparison.py
@@ -15,6 +15,7 @@ from typing import List, Optional, Dict
 from datetime import datetime

 from ..database import get_db
+from ..auth.middleware import get_current_user

 logger = logging.getLogger(__name__)

@@ -26,7 +27,8 @@ async def compare_material_revisions(
    current_revision: str,
    previous_revision: Optional[str] = None,
    save_result: bool = True,
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    current_user: dict = Depends(get_current_user)
 ):
    """
    리비전간 자재 비교 및 추가 발주 필요량 계산
@@ -82,7 +84,8 @@ async def compare_material_revisions(
 async def get_comparison_history(
    job_no: str = Query(..., description="Job 번호"),
    limit: int = Query(10, ge=1, le=50),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    current_user: dict = Depends(get_current_user)
 ):
    """
    자재 비교 이력 조회
@@ -127,7 +130,8 @@ async def get_comparison_history(
 async def get_material_inventory_status(
    job_no: str = Query(..., description="Job 번호"),
    material_hash: Optional[str] = Query(None, description="특정 자재 해시"),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    current_user: dict = Depends(get_current_user)
 ):
    """
    자재별 누적 재고 현황 조회
@@ -148,8 +152,8 @@ async def confirm_material_purchase(
    job_no: str,
    revision: str,
    confirmations: List[Dict],
-    confirmed_by: str = "system",
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    current_user: dict = Depends(get_current_user)
 ):
    """
    자재 발주 확정 처리
@@ -162,6 +166,7 @@ async def confirm_material_purchase(
        }
    ]
    """
+    confirmed_by = current_user.get('username', current_user.get('name', 'unknown'))
    try:
        # 입력 데이터 검증
        if not job_no or not revision:
@@ -265,7 +270,8 @@ async def get_purchase_status(
    job_no: str = Query(..., description="Job 번호"),
    revision: Optional[str] = Query(None, description="리비전 (전체 조회시 생략)"),
    status: Optional[str] = Query(None, description="발주 상태 필터"),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    current_user: dict = Depends(get_current_user)
 ):
    """
    발주 상태 조회