diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000..30cddc7 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,43 @@ +name: Build and Upload Caido Plugin + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Setup Bun + uses: oven-sh/setup-bun@v1 + with: + bun-version: latest + + - name: Install dependencies + run: | + bun install + + - name: Build plugin + run: | + bun run build + + - name: Archive built plugin + run: | + mkdir -p dist-artifact + cp -r dist/* dist-artifact/ + # 만약 manifest.json도 포함되어야 한다면 + cp manifest.json dist-artifact/ + + - name: Upload plugin artifact + uses: actions/upload-artifact@v4 + with: + name: caido-plugin + path: dist-artifact diff --git a/.gitignore b/.gitignore index 029ef11..648628f 100644 --- a/.gitignore +++ b/.gitignore @@ -215,10 +215,10 @@ $RECYCLE.BIN/ # Windows shortcuts *.lnk -!dist/ +#!dist/ dist/* packages/frontend/dist packages/backend/dist -!dist/*.zip +#!dist/*.zip # End of https://www.toptal.com/developers/gitignore/api/node,macos,windows,linux \ No newline at end of file diff --git a/dist/plugin_package.zip b/dist/plugin_package.zip deleted file mode 100644 index 34b70e1..0000000 Binary files a/dist/plugin_package.zip and /dev/null differ diff --git a/playground/.gitignore b/playground/.gitignore new file mode 100644 index 0000000..a14702c --- /dev/null +++ b/playground/.gitignore @@ -0,0 +1,34 @@ +# dependencies (bun install) +node_modules + +# output +out +dist +*.tgz + +# code coverage +coverage +*.lcov + +# logs +logs +_.log +report.[0-9]_.[0-9]_.[0-9]_.[0-9]_.json + +# dotenv environment variable files +.env +.env.development.local +.env.test.local +.env.production.local +.env.local + +# caches +.eslintcache +.cache +*.tsbuildinfo + +# IntelliJ based IDEs +.idea + +# Finder (MacOS) folder config +.DS_Store diff --git a/playground/README.md b/playground/README.md new file mode 100644 index 0000000..4a3109f --- /dev/null +++ b/playground/README.md @@ -0,0 +1,15 @@ +# playground + +To install dependencies: + +```bash +bun install +``` + +To run: + +```bash +bun run +``` + +This project was created using `bun init` in bun v1.2.14. [Bun](https://bun.sh) is a fast all-in-one JavaScript runtime. diff --git a/playground/bun.lock b/playground/bun.lock new file mode 100644 index 0000000..0a70737 --- /dev/null +++ b/playground/bun.lock @@ -0,0 +1,25 @@ +{ + "lockfileVersion": 1, + "workspaces": { + "": { + "name": "playground", + "devDependencies": { + "@types/bun": "latest", + }, + "peerDependencies": { + "typescript": "^5", + }, + }, + }, + "packages": { + "@types/bun": ["@types/bun@1.2.14", "", { "dependencies": { "bun-types": "1.2.14" } }, "sha512-VsFZKs8oKHzI7zwvECiAJ5oSorWndIWEVhfbYqZd4HI/45kzW7PN2Rr5biAzvGvRuNmYLSANY+H59ubHq8xw7Q=="], + + "@types/node": ["@types/node@22.15.21", "", { "dependencies": { "undici-types": "~6.21.0" } }, "sha512-EV/37Td6c+MgKAbkcLG6vqZ2zEYHD7bvSrzqqs2RIhbA6w3x+Dqz8MZM3sP6kGTeLrdoOgKZe+Xja7tUB2DNkQ=="], + + "bun-types": ["bun-types@1.2.14", "", { "dependencies": { "@types/node": "*" } }, "sha512-Kuh4Ub28ucMRWeiUUWMHsT9Wcbr4H3kLIO72RZZElSDxSu7vpetRvxIUDUaW6QtaIeixIpm7OXtNnZPf82EzwA=="], + + "typescript": ["typescript@5.8.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ=="], + + "undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="], + } +} diff --git a/playground/package.json b/playground/package.json new file mode 100644 index 0000000..0bbbfb8 --- /dev/null +++ b/playground/package.json @@ -0,0 +1,10 @@ +{ + "name": "playground", + "private": true, + "devDependencies": { + "@types/bun": "latest" + }, + "peerDependencies": { + "typescript": "^5" + } +} diff --git a/playground/src/PKCEDowngradeExpress.js b/playground/src/PKCEDowngradeExpress.js new file mode 100644 index 0000000..61cf737 --- /dev/null +++ b/playground/src/PKCEDowngradeExpress.js @@ -0,0 +1,31 @@ +const express = require("express"); +const app = express(); + +app.get("/auth", (req, res) => { + const { + client_id, + response_type, + code_challenge, + code_challenge_method, + scope + } = req.query; + + console.log("Incoming request:", req.query); + + if (!client_id || response_type !== "code") { + return res.status(400).send("Missing required parameters"); + } + + // Simulate issuing an authorization code + const code = "dummy-auth-code"; + + // Simulate PKCE check (normally you'd validate here) + // We deliberately allow the downgrade here to simulate the vulnerability + const responseBody = `Authorization successful. code=${code}`; + return res.status(200).send(responseBody); +}); + +const PORT = 5050; +app.listen(PORT, () => { + console.log(`Test PKCE server running on http://localhost:${PORT}`); +}); diff --git a/playground/tsconfig.json b/playground/tsconfig.json new file mode 100644 index 0000000..bfa0fea --- /dev/null +++ b/playground/tsconfig.json @@ -0,0 +1,29 @@ +{ + "compilerOptions": { + // Environment setup & latest features + "lib": ["ESNext"], + "target": "ESNext", + "module": "Preserve", + "moduleDetection": "force", + "jsx": "react-jsx", + "allowJs": true, + + // Bundler mode + "moduleResolution": "bundler", + "allowImportingTsExtensions": true, + "verbatimModuleSyntax": true, + "noEmit": true, + + // Best practices + "strict": true, + "skipLibCheck": true, + "noFallthroughCasesInSwitch": true, + "noUncheckedIndexedAccess": true, + "noImplicitOverride": true, + + // Some stricter flags (disabled by default) + "noUnusedLocals": false, + "noUnusedParameters": false, + "noPropertyAccessFromIndexSignature": false + } +}