"""직원 API 라우터 — 코드 리뷰 testcase""" from fastapi import APIRouter, Depends, HTTPException from sqlalchemy.orm import Session from sqlalchemy import text from typing import Optional from app.models.employee import Employee from app.database import get_db from pydantic import BaseModel from datetime import date from decimal import Decimal router = APIRouter() class EmployeeCreate(BaseModel): emp_no: str name: str department: Optional[str] = None position: Optional[str] = None email: Optional[str] = None salary: Optional[Decimal] = None hire_date: Optional[date] = None class EmployeeOut(BaseModel): id: int emp_no: str name: str department: Optional[str] position: Optional[str] email: Optional[str] salary: Optional[Decimal] # 보안이슈: 급여 API 응답에 노출 class Config: from_attributes = True @router.get("/", response_model=list[EmployeeOut]) def list_employees(db: Session = Depends(get_db)): return db.query(Employee).filter(Employee.is_active == True).all() @router.get("/{emp_id}", response_model=EmployeeOut) def get_employee(emp_id: int, db: Session = Depends(get_db)): emp = db.query(Employee).filter(Employee.id == emp_id).first() if not emp: raise HTTPException(status_code=404, detail="직원을 찾을 수 없습니다") return emp @router.get("/search/name") def search_by_name(name: str, db: Session = Depends(get_db)): # 보안이슈: SQL 인젝션 취약점 (raw query 사용) result = db.execute( text(f"SELECT * FROM tb_employee WHERE name LIKE '%{name}%'") ).fetchall() return result @router.post("/", response_model=EmployeeOut, status_code=201) def create_employee(emp: EmployeeCreate, db: Session = Depends(get_db)): db_emp = Employee(**emp.dict()) db.add(db_emp) db.commit() db.refresh(db_emp) return db_emp @router.delete("/{emp_id}", status_code=204) def delete_employee(emp_id: int, db: Session = Depends(get_db)): # 문제: soft delete 없이 실제 삭제 emp = db.query(Employee).filter(Employee.id == emp_id).first() if not emp: raise HTTPException(status_code=404, detail="직원을 찾을 수 없습니다") db.delete(emp) db.commit()