hyungi/tk-factory-services
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): CRITICAL 보안 이슈 13건 일괄 수정

Browse Source 
- SEC-42: JWT algorithm HS256 명시 (sign 5곳, verify 3곳)
- SEC-44: MariaDB/PhpMyAdmin 포트 127.0.0.1 바인딩
- SEC-29: escHtml = escapeHtml alias 추가 (XSS 방지)
- SEC-39: Python Dockerfile 4개 non-root user + chown
- SEC-43: deploy-remote.sh 삭제 (평문 비밀번호 포함)
- SEC-11,12: SQL SET ? → 명시적 컬럼 whitelist + IN절 parameterized
- QA-34: vacation approveRequest/cancelRequest 트랜잭션 래핑
- SEC-32,34: material_comparison.py 5개 엔드포인트 인증 + confirmed_by
- SEC-33: files.py 17개 미인증 엔드포인트 인증 추가
- SEC-37: chatbot 프롬프트 인젝션 방어 (sanitize + XML 구분자)
- SEC-38: fastapi-bridge 프록시 JWT 검증 + 캐시 키 user_id 포함
- SEC-58/QA-98: monthly-comparison API_BASE_URL 수정 + 401 처리
- SEC-61: monthlyComparisonModel SELECT FOR UPDATE 추가
- SEC-63: proxyInputController 에러 메시지 노출 제거
- QA-103: pageAccessRoutes error→message 통일
- SEC-62: tbm-create onclick 인젝션 → data-attribute event delegation
- QA-99: tbm-mobile/create 캐시 버스팅 갱신
- QA-100,101: ESC 키 리스너 cleanup 추가

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Hyungi Ahn
2026-04-01 10:48:58 +09:00
parent 766cb90e8f
commit f09c86ee01
24 changed files with 215 additions and 305 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
tksupport/api/controllers/vacationController.js
View File

@@ -128,6 +128,8 @@ const vacationController = {
},
async cancelRequest(req, res) {
const db = getPool();
const conn = await db.getConnection();
try {
const { id } = req.params;
const results = await vacationRequestModel.getById(id);
@@ -145,11 +147,13 @@ const vacationController = {
return res.status(400).json({ success: false, error: '이미 취소된 신청입니다' });
}
await conn.beginTransaction();
// 승인된 건 취소 시 잔여일 복구
if (existing.status === 'approved') {
const year = new Date(existing.start_date).getFullYear();
await vacationBalanceModel.restoreDays(
existing.user_id, existing.vacation_type_id, year, parseFloat(existing.days_used)
existing.user_id, existing.vacation_type_id, year, parseFloat(existing.days_used), conn
);
}
@@ -157,11 +161,16 @@ const vacationController = {
status: 'cancelled',
reviewed_by: userId,
review_note: '취소됨'
});
}, conn);
await conn.commit();
res.json({ success: true, message: '휴가 신청이 취소되었습니다' });
} catch (error) {
await conn.rollback();
console.error('휴가 취소 오류:', error);
res.status(500).json({ success: false, error: '서버 오류가 발생했습니다' });
} finally {
conn.release();
}
},
@@ -178,6 +187,8 @@ const vacationController = {
},
async approveRequest(req, res) {
const db = getPool();
const conn = await db.getConnection();
try {
const { id } = req.params;
const { review_note } = req.body;
@@ -192,18 +203,22 @@ const vacationController = {
}
const request = results[0];
// 잔여일 차감
const year = new Date(request.start_date).getFullYear();
await vacationBalanceModel.deductDays(
request.user_id, request.vacation_type_id, year, parseFloat(request.days_used)
);
await vacationRequestModel.updateStatus(id, { status: 'approved', reviewed_by, review_note });
await conn.beginTransaction();
await vacationBalanceModel.deductDays(
request.user_id, request.vacation_type_id, year, parseFloat(request.days_used), conn
);
await vacationRequestModel.updateStatus(id, { status: 'approved', reviewed_by, review_note }, conn);
await conn.commit();
res.json({ success: true, message: '휴가 신청이 승인되었습니다' });
} catch (error) {
await conn.rollback();
console.error('휴가 승인 오류:', error);
res.status(500).json({ success: false, error: '서버 오류가 발생했습니다' });
} finally {
conn.release();
}
},

5
tksupport/api/models/vacationBalanceModel.js
View File

@@ -92,14 +92,15 @@ const vacationBalanceModel = {
// 2단계: 남은 차감분을 우선순위 순서로 (이미 차감한 행 제외)
if (remaining > 0) {
const deductedIds = exactMatch.map(b => b.id);
const excludeClause = deductedIds.length > 0 ? `AND id NOT IN (${deductedIds.join(',')})` : '';
const excludeClause = deductedIds.length > 0 ? `AND id NOT IN (${Array(deductedIds.length).fill('?').join(',')})` : '';
const queryParams = [userId, year, ...deductedIds];
const [balances] = await c.query(`
SELECT id, total_days, used_days, (total_days - used_days) AS remaining_days, balance_type
FROM sp_vacation_balances
WHERE user_id = ? AND year = ? AND (total_days - used_days) > 0 ${excludeClause}
ORDER BY FIELD(balance_type, 'CARRY_OVER', 'AUTO', 'MANUAL', 'LONG_SERVICE', 'COMPANY_GRANT')
FOR UPDATE
`, [userId, year]);
`, queryParams);
for (const b of balances) {
if (remaining <= 0) break;

25
tksupport/api/models/vacationRequestModel.js
View File

@@ -1,9 +1,22 @@
const { getPool } = require('../middleware/auth');
const ALLOWED_CREATE_COLUMNS = ['user_id', 'vacation_type_id', 'start_date', 'end_date', 'days_used', 'reason', 'status', 'reviewed_by', 'review_note'];
const ALLOWED_UPDATE_COLUMNS = ['vacation_type_id', 'start_date', 'end_date', 'days_used', 'reason'];
const vacationRequestModel = {
async create(data, conn) {
const db = conn || getPool();
const [result] = await db.query('INSERT INTO sp_vacation_requests SET ?', data);
const filtered = {};
for (const key of ALLOWED_CREATE_COLUMNS) {
if (data[key] !== undefined) filtered[key] = data[key];
}
const columns = Object.keys(filtered);
const placeholders = columns.map(() => '?').join(', ');
const values = columns.map(c => filtered[c]);
const [result] = await db.query(
`INSERT INTO sp_vacation_requests (${columns.join(', ')}) VALUES (${placeholders})`,
values
);
return result;
},
@@ -81,7 +94,15 @@ const vacationRequestModel = {
async update(requestId, data) {
const db = getPool();
const [result] = await db.query('UPDATE sp_vacation_requests SET ? WHERE request_id = ?', [data, requestId]);
const filtered = {};
for (const key of ALLOWED_UPDATE_COLUMNS) {
if (data[key] !== undefined) filtered[key] = data[key];
}
const columns = Object.keys(filtered);
if (columns.length === 0) return { affectedRows: 0 };
const setClause = columns.map(c => `${c} = ?`).join(', ');
const values = [...columns.map(c => filtered[c]), requestId];
const [result] = await db.query(`UPDATE sp_vacation_requests SET ${setClause} WHERE request_id = ?`, values);
return result;
},