fix(security): CRITICAL 보안 이슈 13건 일괄 수정

- SEC-42: JWT algorithm HS256 명시 (sign 5곳, verify 3곳) - SEC-44: MariaDB/PhpMyAdmin 포트 127.0.0.1 바인딩 - SEC-29: escHtml = escapeHtml alias 추가 (XSS 방지) - SEC-39: Python Dockerfile 4개 non-root user + chown - SEC-43: deploy-remote.sh 삭제 (평문 비밀번호 포함) - SEC-11,12: SQL SET ? → 명시적 컬럼 whitelist + IN절 parameterized - QA-34: vacation approveRequest/cancelRequest 트랜잭션 래핑 - SEC-32,34: material_comparison.py 5개 엔드포인트 인증 + confirmed_by - SEC-33: files.py 17개 미인증 엔드포인트 인증 추가 - SEC-37: chatbot 프롬프트 인젝션 방어 (sanitize + XML 구분자) - SEC-38: fastapi-bridge 프록시 JWT 검증 + 캐시 키 user_id 포함 - SEC-58/QA-98: monthly-comparison API_BASE_URL 수정 + 401 처리 - SEC-61: monthlyComparisonModel SELECT FOR UPDATE 추가 - SEC-63: proxyInputController 에러 메시지 노출 제거 - QA-103: pageAccessRoutes error→message 통일 - SEC-62: tbm-create onclick 인젝션 → data-attribute event delegation - QA-99: tbm-mobile/create 캐시 버스팅 갱신 - QA-100,101: ESC 키 리스너 cleanup 추가 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 10:48:58 +09:00
parent 766cb90e8f
commit f09c86ee01
24 changed files with 215 additions and 305 deletions
--- a/tksupport/api/models/vacationRequestModel.js
+++ b/tksupport/api/models/vacationRequestModel.js
@@ -1,9 +1,22 @@
 const { getPool } = require('../middleware/auth');

+const ALLOWED_CREATE_COLUMNS = ['user_id', 'vacation_type_id', 'start_date', 'end_date', 'days_used', 'reason', 'status', 'reviewed_by', 'review_note'];
+const ALLOWED_UPDATE_COLUMNS = ['vacation_type_id', 'start_date', 'end_date', 'days_used', 'reason'];
+
 const vacationRequestModel = {
  async create(data, conn) {
    const db = conn || getPool();
-    const [result] = await db.query('INSERT INTO sp_vacation_requests SET ?', data);
+    const filtered = {};
+    for (const key of ALLOWED_CREATE_COLUMNS) {
+      if (data[key] !== undefined) filtered[key] = data[key];
+    }
+    const columns = Object.keys(filtered);
+    const placeholders = columns.map(() => '?').join(', ');
+    const values = columns.map(c => filtered[c]);
+    const [result] = await db.query(
+      `INSERT INTO sp_vacation_requests (${columns.join(', ')}) VALUES (${placeholders})`,
+      values
+    );
    return result;
  },

@@ -81,7 +94,15 @@ const vacationRequestModel = {

  async update(requestId, data) {
    const db = getPool();
-    const [result] = await db.query('UPDATE sp_vacation_requests SET ? WHERE request_id = ?', [data, requestId]);
+    const filtered = {};
+    for (const key of ALLOWED_UPDATE_COLUMNS) {
+      if (data[key] !== undefined) filtered[key] = data[key];
+    }
+    const columns = Object.keys(filtered);
+    if (columns.length === 0) return { affectedRows: 0 };
+    const setClause = columns.map(c => `${c} = ?`).join(', ');
+    const values = [...columns.map(c => filtered[c]), requestId];
+    const [result] = await db.query(`UPDATE sp_vacation_requests SET ${setClause} WHERE request_id = ?`, values);
    return result;
  },