fix: add rate limits for upload/admin and render post content safely in admin

junzero741 · claude · junzero741 · commit 0233c5dca2dc · 2026-03-07T21:06:05.000+09:00
- 이미지 업로드: IP당 시간당 20회 제한 (스토리지 어뷰징 방어)
- admin API: IP당 15분당 20회 제한 (brute-force 방어)
- admin 페이지: post.content를 DOMPurify로 sanitize 후 렌더링

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/apps/backend/src/main.ts b/apps/backend/src/main.ts
@@ -39,6 +39,26 @@ const unlockLimiter = rateLimit({
 });
 app.use('/posts/:slug/unlock', unlockLimiter);
 
+// 이미지 업로드 rate limit: IP당 시간당 20회 (스토리지 어뷰징 방어)
+const uploadLimiter = rateLimit({
+  windowMs: 60 * 60 * 1000,
+  limit: 20,
+  standardHeaders: 'draft-8',
+  legacyHeaders: false,
+  message: { error: 'Too many requests, please try again later' },
+});
+app.use('/uploads/image', uploadLimiter);
+
+// admin rate limit: IP당 15분당 20회 (brute-force 방어)
+const adminLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  limit: 20,
+  standardHeaders: 'draft-8',
+  legacyHeaders: false,
+  message: { error: 'Too many requests, please try again later' },
+});
+app.use('/admin', adminLimiter);
+
 // 정적 파일 서빙 (라우터보다 먼저 등록 — 파일 없으면 next()로 통과)
 const uploadsDir = path.resolve(__dirname, '../uploads');
 app.use('/uploads', express.static(uploadsDir));
diff --git a/apps/frontend/src/app/admin/page.tsx b/apps/frontend/src/app/admin/page.tsx
@@ -4,6 +4,7 @@ import { useState, useEffect, useCallback } from 'react';
 import { ReportReason } from '@private-board/shared';
 import { REPORT_REASON_LABELS } from '@/lib/constants';
 import { AdminReport, getAdminReports, adminDeletePost, adminDismissReport } from '@/lib/api';
+import { sanitizeHtml } from '@/lib/sanitize';
 
 export default function AdminPage() {
   const [secret, setSecret] = useState('');
@@ -148,6 +149,11 @@ export default function AdminPage() {
               </span>
             </div>
 
+            <article
+              className="mb-3 max-h-48 overflow-y-auto rounded-lg bg-surface p-3 prose prose-sm prose-slate max-w-none prose-headings:text-text-primary prose-p:text-text-primary prose-img:rounded"
+              dangerouslySetInnerHTML={{ __html: sanitizeHtml(report.post.content) }}
+            />
+
             {report.description && (
               <p className="mb-3 text-sm text-text-secondary">{report.description}</p>
             )}
