From e868cbec676528332494086f58e7cfbbaeb0e26e Mon Sep 17 00:00:00 2001 From: "tv0924@icloud.com" Date: Wed, 28 May 2025 14:11:53 +0900 Subject: [PATCH 1/6] =?UTF-8?q?csrf(state)=20=EA=B4=80=EB=A0=A8=20?= =?UTF-8?q?=EC=B7=A8=EC=95=BD=EC=A0=90=20=ED=83=90=EC=A7=80=20=EA=B8=B0?= =?UTF-8?q?=EB=8A=A5=20=EC=B6=94=EA=B0=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- dist/plugin_package.zip | Bin 0 -> 11096 bytes package.json | 2 +- packages/backend/src/controller/csrfCheck.ts | 178 +++++++++++++++++ packages/backend/src/index.ts | 34 +++- packages/backend/src/utils/http.ts | 193 +++++++++++++++++++ 5 files changed, 400 insertions(+), 7 deletions(-) create mode 100644 dist/plugin_package.zip create mode 100644 packages/backend/src/controller/csrfCheck.ts create mode 100644 packages/backend/src/utils/http.ts diff --git a/dist/plugin_package.zip b/dist/plugin_package.zip new file mode 100644 index 0000000000000000000000000000000000000000..a321b3b7a1ce78282a403d57a664b8d3f0a1ed8b GIT binary patch literal 11096 zcmWIWW@h1H0D;#Ud!j%z40A9rFeD`=XQ$?+=tES2M9@_UAgRjCOG&NJ%PQ8_S13qK z&Q45EE!KybP+XL(Us{rxQ>>p+Qc|E-Qp{DBSfr4dS6q^qmz=6#tB_ZklVc4Q^e8DQ z2n8usuvJLTNh~f_sOC~o(AU!9QczIPQh3w7@zsuow=G)~-pt+crfbRDmMw3(mb_lN zN8wHL+&3*7-%efmy1V0b_Yys@dVMYhh2;Fa;*z4$0>)t5}uQtqmvuVqlxib{r zHZ6HGvq9n2hDmScwkW(=(DHg)gTkA(p4V%3yqP!Q^};y{uQxZmojC)|7YYsqiA9OI z3K^-1DXB%p3JSUkL8;04MJYDLB}JKe={gD!TA>EYh>o>Wcspb2+vYi7TOrPPy?iUk zD_RN;5O)_VK!GlbyS6C2UbW)�l8k^?Je_g*VL|3Q&*1Oaz5;PJVf6k#k~ks$))$ z2gIEkQ1`+D7#tA_MXAN5IVB3V3e~lcP)y4&QqX|NMHeNOd#6_FC=?}@hb88erp7Ad zrz!X+Wu+#U=%wbB6lJCs!%c-53yoog?9@sHTaZrg)JnaQd>@#DG&CXhKw{mos3@^g zFS8g-YryQ$L>LB21|SzkXQx)iLJR~uMK3q8KtrQUQ^D3wp$yf0xCONesX4`|&@=`L zU5IBfjKb%YDr*eYEfkXC^5Jd<>!V5d1{mvW$J*u4)Z{1 zQKo{eLTOPZsuMwGD1g){*n&uGk|jlzaF;`(qqHc;KPd~8JyXjSLW6ujmcjiBbs|KK zUU6z-QE~>@WyN~wsU;fOsg+QrwF=3JCCM2I8mTZhf`S;F(;(R%6i^`lfv~>50@#lz zd4BPpH`BJfS>B@XX8)eo%ho7Bvdf$4TQmwm;i36v`h+(vb3p!jGkt=>+o@Y#ckg^V zb;j#1P~HP)wbvVF;LcWHLqM5IDbdzYEy>nMPft%t0g->uZB@{Cy?lkjo2l~@>=i(E zyqVqxa^KWF3h;cZ3C(Gcd<#mM3Lpz!ZD@G2V8@#oOI~eWpzx-9+nc!!3U7OQUeDe0 zdi{>KEgKZx%-!;OSqoG%B!r>aR2S+mRQ0bmOwv&R**|B`>y=x;#VA-aC`Y0s7f48< zq!fs^Z56;YwgdrkHqO)nNg-hW6(dqeFj6vrSP4x85Wgru)T1O2aIC|NcOs%16wkJ0 zpwaJ1;skelhqq&7%V_d z94Lti9P$d_U<0`cq2<+vN#G=dRxRi%z?`j?Y-^03Bf#E&GYd1M!A5~nUomoF1xX6v z)TaY+1FR^31QNN45aJzMh>_TmFo~%Y97x4_#gOs~=2S@8iJF2-@`J%uFQjrIISu0~ zu8<1@aO!Sa`)0u$jg-`!)RI(9XetMXG3iO&0qi?Sb_XQ^Sp1^LEm|2%erfjx?D)4+ z@g+-0sKU!Qh!#jQqY>JCf#fy3iLEF#H@_?uTycP_Af)t0orFeSI)X$SQdJ1?Evyv8 zl7{pZplv7Y^&g_$1+DV(5_3~A>by6bRx7;T)bVEd4p>7C+Tg@q1VYmVw6O-NjKS^8 z;)49V;#5#k4Rw-+rUIyhgc$;@UO`P;NP>i#19B4B5J-);YtQSZEy&d!q%jI9n-nzO z%;>OEP|C?qPAtjH&r{M-P;$=CD@n~O(G96ANL7N>qmY1uCKIsfi24w0AgG;-?Z`vx@+S)2WtcAH96g(ic;1({tr3(yA|Pjg%0&>3+bXDL1yr37eGn27^>Bkh zg76O38+dbpxSRo11GDx`Dsdihp-?S)r6HoRH51(vfQ=@^vy zUiUO0dU8wmD7@ah<;}t^Z&CZB3c8TM0%asfpY6@u9SW~D?R_(AgF-aeL9q&umgnn* zb71|t=vX9GueR@a-O~Va_M4_PZ)UB;v;pEmM6m#ME67enQxQ_CDqwBFpyX#*RsdBQ zZ=05YOo0X?#P2$g?(7yst6bsrh7E6~ZvnX(suI>wgf)#o*#nX;bU{5{aNsY1IuqO= zTh;V1`a~7(Ym0XDma+nt)o{PCMjq@ zf?eVDj0vE&JA@Ysi~Rd}i<)xNG+yZK|W9xv! z3Z-I7%Otp)kc%aR^{_56wn9n)Q7AyO1gu2C=wB0IV6i5|ykZ3_a1JYug_{OS=gysaKqzo2miUrl6pa4IT@~Mh$InfeiONSShp%1S*pi zAvPew1YvkIC{ut297qWgP-zG+ToGo0dvrl5S=we!t_snA@f@p|$SPe94=gYhO=58A?R!A3^=2fTMs|Fz3xo!bJn5 z-3rZ-s4Wq=*I;P{7LX*C4JEJ;vQBoy7K z^3ePR$x&&UIVGt@sVO+d`^YG66k$Hn%gjs8DNRW&1~srzoq*ELfjI$ZkwaVw0d0rC zOoL>xT5B#YTm#<8`FSNp`8heMMf%CbMQP3%sma-}p>NPIIBb+VFST3&KI#qXPlCqA zonbmqhQTw7{S!+|GD3?oHHuOTOH+$WV5tKV+OXak0yP$@YlGc~UyJ~PEuNfXrmgY=+~6cnXGIt1}0l?ACFMKv{$t|XG0^rFPP5_}4Z zQd2UEQj<&KON%mbm{FXZkJJ3(lEe~_-AK_3jg^w3(o~4&K*b)sL`+M}DF%y!M4^Ef z1a(6Y)I%CDpP>dN$gWaQRREI)1*UU;N-8LZK$#yB;;^0zBo8atD!^kFq#hy)srSKE z0mx;La70KKYiQ~~B@rDVumDoU0dL0?Bi64B^lsUi<};CD}p8rP%6i%C^t0FpI9F$_@+jYmj|0YzLYI7y(V7O-NZ@e7b|lt5i#uofk#Dd1)VSOjbc%n6{B z1s+p}r+Kuw1XvaUWrbu=Sp@cwV+kxD_(1#MkTeS`Uvxlo5a5vjm_=awH9(VKde9t& zQXHwNfhWlHGK<0HV+0sN9$b{+&W)Iv+yFU;Ljn_bkV66wq64BfzbG?3GcPd*>@GrK zucM#@4r5rTLySO8Tj*v$LJk}&ur?wr1A)>4M4Di3hu8$uNWihMSs-w6p@5c=Awd8y zTOj@ct3*ypC^o?&8J?P=A;AC{vPvyUEmFuVR>;jPF3!wLSIEp$D9K2Lrx3XH(1}VV zXiET;;vlsSY7~Hm7D%-{H?uewJe!o1T2h{xnx_EGi3*8%DR76NT3iH~)di;>kW)bQ zbx~$nVo9n(VsT|&vH~JE1f`Z1gWLD|`U;>R09UbA3PF$z4GKxH1jHM#j02K~lncD-J+*mkA0h|^<4f@v`=Dga`32xBOn(}7TTF|UIh7q7F z4>L|dK@pU=!TtbMgNk@c0)!p~SfPMD)1w9`s4osRAI^j%OsFV4MnRtQ%P&z#gbsn} zDCFfUI0py0DHLTEXTz+AMmlVs7}YY=Vvj(UhT4y60!H43szRyE!D8TS2WCMsIm8^| zvp86*f&xSvEcu~%0Nl=lr&I-4F$N0@bSFTw543DTt-PRukOmLfZiut<@}2YZvolkn z@+e`3+M_`=T}L5WDH*I&DHh!wd8y?v4=LCxB$g*;mLN5yic*VH^HLCX5_m}nD2pmU zi<)991vFQ|gP<0RRcK*`ztslzxqE%$1y15LQ)IVR$E(; zKfoMpIVu{KOh7qX39JmM&QGciX2o-dW) zaigFBt|Gu849}$~xf?k@E2N~Bq$Zc7ra)W?(tuQerxs}xr(}cLE8tQa#DJ8_5RWP- zY6!^UlY|6F(*P7gcuFt@Sn&o93-rbe%w$ki0a`Mmplz$51ox&Dyq*M?wupd) zcEdpKhm}cS6}Z}B;GQFN;gKGqvcjbtkxgKgD>w&0YG5KP0#(Zf*u0jYqo7hv*Z{q( z{LDNJP`g#L78=SBuY$rFvLFW8ba0~;A`FQVv_U?2asannKql34;p=uo)}cX{n87>V z&?O4+ZZ)V-ODoMw2F*GtWaed-fD#YHS;Z;YdZ}fpc_qbq`FWmsC8*(bNJ>S~4bBE=Nfc5DLYoqLi8(nM zFf)MC?Dpf7waV#r6!i7YCv2EQdE*zl9OtspcIf_T%4Jd zld2FL?5_YXeqErs44h3t$`uq+Qj3#|G7CU~Wu=f19PF=Kl$w)RlA3}@)Wz`J2`V69 zDbI?FOQpIfwGdQd`lgm-Pu02Sy8P;(R%pq_xP$^^Rz6x2%DnR#H} zVMxGyhamx4i&t5YpP5$z@&;5|ACmR5iV-FkmFAUX=B9!aWhIs+LQ)aP-H_Od<*Eh6 zi)Lt0Z!9AN0|*CrGct)V;9ispS)dA9cnV^{Y=-HAEmB2}X_#7&dIknHEK63=btAh6 hlo}v9LF8`@w6qc6&B_LnU}j)uSkJ(~Fj))40{{oK)X@L{ literal 0 HcmV?d00001 diff --git a/package.json b/package.json index 7d2ba1b..ccb27ef 100644 --- a/package.json +++ b/package.json @@ -1,5 +1,5 @@ { - "name": "caido-oauth", + "name": "caido-oauth-dev", "version": "0.0.0", "private": true, "scripts": { diff --git a/packages/backend/src/controller/csrfCheck.ts b/packages/backend/src/controller/csrfCheck.ts new file mode 100644 index 0000000..371033f --- /dev/null +++ b/packages/backend/src/controller/csrfCheck.ts @@ -0,0 +1,178 @@ +import type { Request, Response } from "caido:utils"; +import type { SDK, DefineAPI } from "caido:plugin"; +import { HttpUtils } from "../utils/http"; + +const httpUtils = new HttpUtils(); + +export class CsrfCheck { + private isOauthUri(request: Request): boolean { + const query = request.getQuery() || ""; + + // Check if the request is an OAuth authorization request + if ( + query.includes("client_id=") && + (query.includes("response_type=") || + query.includes("grant_type=") || + query.includes("redirect_uri=") || + query.includes("scope=") || + query.includes("state=")) + ) { + return true; + } + + return false; + } + + private isOauthRedirectResponse(response: Response): boolean { + const status = response.getCode(); + const locationHeader = httpUtils.getHeaderValue( + response.getHeaders(), + "location" + ); + + if ( + status >= 300 && + status < 400 && + locationHeader && + (locationHeader.includes("client_id=") || + locationHeader.includes("response_type=") || + locationHeader.includes("grant_type=") || + locationHeader.includes("redirect_uri=") || + locationHeader.includes("scope=") || + locationHeader.includes("state=") || + locationHeader.includes("code=")) // code is also common in OAuth redirects + ) { + return true; + } + return false; + } + + private isStateInQuery(request: Request): boolean { + const query = request.getQuery(); + const stateValue = httpUtils.getQueryParam(query || "", "state"); + if (!stateValue) { + return false; + } + return true; + } + + private checkStateAtResponseLocationHeader( + request: Request, + response: Response + ): string[] | 0 { + if ( + !( + this.isOauthUri(request) && + this.isStateInQuery(request) && + this.isOauthRedirectResponse(response) + ) + ) { + return 0; // Not a target, no CSRF risk + } + + // 요청에서 보낸 state 추출 + const query = request.getQuery() || ""; + const originalState = httpUtils.getQueryParam(query, "state"); + + // 리다이렉트 URL에서 쿼리 부분만 추출 + const locationHeader = httpUtils.getHeaderValue( + response.getHeaders(), + "location" + ); + const responseState = httpUtils.getQueryParamFromURI( + locationHeader || "", + "state" + ); + + // state가 없거나, 요청값과 다르면 CSRF 위험 + if (!responseState) { + // missing state + return ["state parameter is missing in the response location header"]; + } + if (originalState !== responseState) { + // mismatch + return ["state parameter mismatch between request and response"]; + } + + return 0; // no CSRF risk detected + } + + // private async checkStateReuse( + // request: Request, + // originResponse: Response + // ): Promise { + // // uri에 oauth 관련 파라미터가 없지만, 응답이 oauth 리다이렉트 응답인지 확인 + // // 즉, 처음으로 state를 발급한 요청인지 확인 + // if ( + // !( + // !this.isOauthUri(request) && + // this.isOauthRedirectResponse(originResponse) + // ) + // ) { + // return 0; // Not a target, no CSRF risk + // } + + // const originResponseLocationHeader = httpUtils.getHeaderValue( + // originResponse.getHeaders(), + // "location" + // ); + // const originState = httpUtils.getQueryParamFromURI( + // originResponseLocationHeader || "", + // "state" + // ); + + // const requestHeaders = request.getHeaders(); + // const noCookieHeaders = httpUtils.removeHeaders(requestHeaders, ["cookie"]); + // const newResponse = await httpUtils.resend(request, { + // headers: noCookieHeaders, + // }); + // const newLocationHeader = httpUtils.getHeaderValue( + // newResponse.getHeaders(), + // "location" + // ); + // const newState = httpUtils.getQueryParamFromURI( + // newLocationHeader || "", + // "state" + // ); + + // if (originState === newState) { + // return [ + // "State parameter reused in the response location header, indicating a potential CSRF risk", + // ]; + // } + + // return 0; // no CSRF risk detected + // } + + async checker( + sdk: SDK, {}>, + request: Request, + response: Response + ): Promise { + let result = ``; + + // 쿼리에 state 파라미터가 없으면 CSRF 위험 + if (this.isOauthUri(request) && !this.isStateInQuery(request)) { + result += "CSRF risk: missing state parameter"; // CSRF risk: missing state parameter + } + + // location 헤더에 state 파라미터가 없거나, 요청에서 보낸 state와 다르면 CSRF 위험 + const stateAtResponseLocationHeaderCheck = + this.checkStateAtResponseLocationHeader(request, response); + if (stateAtResponseLocationHeaderCheck !== 0) { + result += `, ${stateAtResponseLocationHeaderCheck.join(", ")}`; + } + + // // 처음으로 state를 발급한 요청에서 state 파라미터를 바꿔서 보내기 + // const reusedStateCheck = await this.checkStateReuse(request, response); + // if (reusedStateCheck !== 0) { + // result += `, ${reusedStateCheck.join(", ")}`; + // } + + if (result) { + return result; // CSRF risk detected + } else { + return 0; // No CSRF risk detected + } + } +} diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts index 7633932..8a8ca26 100644 --- a/packages/backend/src/index.ts +++ b/packages/backend/src/index.ts @@ -1,5 +1,6 @@ import type { SDK, DefineAPI } from "caido:plugin"; import type { Request } from "caido:utils"; +<<<<<<< HEAD import { ImplicitGrantController } from "./controller/implictGrant"; import { AuthZCodeGrantController } from "./controller/authZCodeGrant"; import { PKCECheck } from "./controller/PKCECheck"; @@ -27,19 +28,40 @@ const pkceCheck = new PKCECheck(); // const match = /"access_token"\s*:\s*"([^"]+)"/.exec(raw); // return !!match; // } +======= +// import { ImplicitGrantController } from "./controller/implictGrant"; +// import { AuthZCodeGrantController } from "./controller/authZCodeGrant"; +import { CsrfCheck } from "./controller/csrfCheck"; + +export type API = DefineAPI<{}>; +const csrfCheck = new CsrfCheck(); +>>>>>>> 8de17eb (csrf(state) 관련 취약점 탐지 기능 추가) export function init(sdk: SDK) { - sdk.events.onInterceptRequest(async (sdk, req: Request) => { - const result = - authZCodeGrantController.testReq(req) || - implicitGrantController.testReq(req); + // sdk.events.onInterceptRequest(async (sdk, req: Request) => { + // const result = csrfCheck.checker(req); + + // if (result) { + // await sdk.findings.create({ + // title: "Possible SSO Request Detected", + // description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`, + // request: req, + // reporter: "", + // }); + // } + // }); + + sdk.events.onInterceptResponse(async (sdk, req: Request, resp) => { + const funcList = [csrfCheck.checker(sdk, req, resp)]; + + let result = await Promise.all(funcList); if (result) { await pkceCheck.test(sdk, req); await sdk.findings.create({ - title: "Possible SSO Request Detected", - description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`, + title: "Possible SSO Response Detected", + description: `SSO-related parameters detected in response:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`, request: req, reporter: "", }); diff --git a/packages/backend/src/utils/http.ts b/packages/backend/src/utils/http.ts new file mode 100644 index 0000000..91a6527 --- /dev/null +++ b/packages/backend/src/utils/http.ts @@ -0,0 +1,193 @@ +let instance: HttpUtils | null = null; +export class HttpUtils { + /** + * 싱글턴 인스턴스를 생성합니다. + */ + public constructor() { + if (instance) { + return instance; + } + instance = this; + return instance; + } + + /** + * 헤더 객체의 키와 값을 전부 소문자로 변환합니다. + * @param headers - Record 형태의 헤더 맵 + * @returns - 키와 값이 모두 소문자로 변환된 새 헤더 맵 + */ + lowerCaseAllHeaders( + headers: Record + ): Record { + const result: Record = {}; + + for (const [rawKey, rawValue] of Object.entries(headers)) { + const key = rawKey.toLowerCase(); + + if (Array.isArray(rawValue)) { + // 배열이면 각 요소를 소문자로 + result[key] = rawValue.map((v) => v.toLowerCase()); + } else { + // 단일 문자열이면 바로 소문자로 + result[key] = rawValue.toLowerCase(); + } + } + + return result; + } + + getQueryParamFromURI(uri: string, key: string): string | null { + uri = uri.toLowerCase(); + key = key.toLowerCase(); + try { + const urlObj = new URL(uri); + return urlObj.searchParams.get(key); + } catch (e) { + return null; + } + } + + // Query + /** + * 주어진 쿼리 문자열(query)에서 key에 해당하는 값을 반환합니다. + * @param query - "a=1&b=2..." 형태의 쿼리 문자열 (맨 앞 ? 는 없어야 합니다) + * @param key - 가져오고 싶은 파라미터 이름 + * @returns - 해당 파라미터 값, 없으면 null + */ + getQueryParam(query: string, key: string): string | null { + query = query.toLowerCase(); + key = key.toLowerCase(); + + const params = new URLSearchParams(query); + return params.get(key); + } + + /** + * 주어진 쿼리 문자열(query)에 key=value를 설정하고, 전체 쿼리 문자열을 반환합니다. + * - 이미 key가 있으면 덮어쓰기(set), 없으면 새로 추가합니다. + * @param query - "a=1&b=2..." 형태의 쿼리 문자열 (맨 앞 ? 는 없어야 합니다) + * @param key - 설정할 파라미터 이름 + * @param value - 설정할 값 + * @returns - "a=1&b=2&c=3..." 형태의 새로운 쿼리 문자열 + */ + setQueryParam(query: string, key: string, value: string): string { + query = query.toLowerCase(); + key = key.toLowerCase(); + value = value.toLowerCase(); + + const params = new URLSearchParams(query); + params.set(key, value); + return params.toString(); + } + + /** + * 주어진 쿼리 문자열(query)에서 key에 해당하는 파라미터를 삭제(delete)하고, + * 전체 쿼리 문자열을 반환합니다. + * @param query - "a=1&b=2..." 형태의 쿼리 문자열 (맨 앞 ? 는 없어야 합니다) + * @param key - 삭제할 파라미터 이름 + * @returns - 삭제된 상태의 새로운 쿼리 문자열 + */ + removeQueryParam(query: string, key: string): string { + query = query.toLowerCase(); + key = key.toLowerCase(); + + const params = new URLSearchParams(query); + params.delete(key); + return params.toString(); + } + + // Headers + /** + * 주어진 헤더 맵에서 name에 해당하는 첫 번째 헤더 값을 반환합니다. + * @param headers - Response.getHeaders() 가 반환하는 객체 + * @param name - 꺼내고 싶은 헤더 이름 (예: "location", "Content-Type") + * @returns - 해당 헤더의 첫 번째 값, 없으면 null + */ + getHeaderValue( + headers: Record, + name: string + ): string | null { + headers = this.lowerCaseAllHeaders(headers); + const target = name.toLowerCase(); + + for (const [key, value] of Object.entries(headers)) { + if (key.toLowerCase() === target) { + if (Array.isArray(value)) { + // 배열 형태일 때 첫 번째 요소가 비어있을 수도 있으니 안전하게 처리 + return value.length > 0 && + value[0] !== undefined && + value[0].length > 0 + ? value[0] + : null; + } + // 문자열일 때 + return value.length > 0 ? value : null; + } + } + return null; + } + + /** + * 주어진 헤더 맵에서 name에 해당하는 헤더 값을 value로 변경한 새 맵을 반환합니다. + * - 기존 헤더 이름의 대소문자를 보존합니다. + * - value가 string인 경우 [value] 형태로, string[]인 경우 그대로 사용합니다. + * - 기존에 해당 헤더가 없으면 새로 추가합니다. + * + * @param headers - 키가 헤더 이름, 값이 문자열 배열인 헤더 맵 + * @param name - 변경할 헤더 이름 (예: "Authorization", "X-Custom-Header") + * @param value - 새로 설정할 값 (string 또는 string[]) + * @returns - 지정된 헤더가 업데이트된 새로운 헤더 맵 + */ + setHeaderValue( + headers: Record, + name: string, + value: string | string[] + ): Record { + headers = this.lowerCaseAllHeaders(headers); + const lowerName = name.toLowerCase(); + const newHeaders: Record = {}; + + // 1) 기존 헤더 복사하되, name과 일치하는 항목은 value로 대체 + for (const [key, vals] of Object.entries(headers)) { + if (key.toLowerCase() === lowerName) { + newHeaders[key] = Array.isArray(value) ? value : [value]; + } else { + newHeaders[key] = Array.isArray(vals) ? vals : [vals]; + } + } + + // 2) 해당 헤더가 원래 없었다면 새로 추가 + const exists = Object.keys(newHeaders).some( + (k) => k.toLowerCase() === lowerName + ); + if (!exists) { + newHeaders[name] = Array.isArray(value) ? value : [value]; + } + + return newHeaders; + } + + /** + * 주어진 헤더 맵에서 특정 이름(들)에 해당하는 헤더를 제거한 새 맵을 반환합니다. + * @param headers - 키가 헤더 이름, 값이 문자열 배열인 헤더 맵 + * @param namesToRemove - 제거할 헤더 이름(하나 혹은 배열). 대소문자 구분 없이 매칭됩니다. + * @returns - 지정된 헤더가 제외된 새로운 헤더 맵 + */ + removeHeaders( + headers: Record, + namesToRemove: string | string[] + ): Record { + headers = this.lowerCaseAllHeaders(headers); + const toRemove = Array.isArray(namesToRemove) + ? namesToRemove.map((n) => n.toLowerCase()) + : [namesToRemove.toLowerCase()]; + + const filtered: Record = {}; + for (const [key, vals] of Object.entries(headers)) { + if (!toRemove.includes(key.toLowerCase())) { + filtered[key] = Array.isArray(vals) ? vals : [vals]; + } + } + return filtered; + } +} From 366f90e5a8bfe1bc61d4b86c90c5eb7fa4883268 Mon Sep 17 00:00:00 2001 From: "tv0924@icloud.com" Date: Wed, 28 May 2025 14:30:55 +0900 Subject: [PATCH 2/6] =?UTF-8?q?[Add]=20csrf=20=ED=85=8C=EC=8A=A4=ED=8A=B8?= =?UTF-8?q?=20=EC=B6=94=EA=B0=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- playground/{ => pkce}/.gitignore | 0 playground/{ => pkce}/README.md | 0 playground/{ => pkce}/bun.lock | 0 playground/{ => pkce}/package.json | 0 playground/{ => pkce}/src/PKCEDowngradeExpress.js | 0 playground/{ => pkce}/tsconfig.json | 0 6 files changed, 0 insertions(+), 0 deletions(-) rename playground/{ => pkce}/.gitignore (100%) rename playground/{ => pkce}/README.md (100%) rename playground/{ => pkce}/bun.lock (100%) rename playground/{ => pkce}/package.json (100%) rename playground/{ => pkce}/src/PKCEDowngradeExpress.js (100%) rename playground/{ => pkce}/tsconfig.json (100%) diff --git a/playground/.gitignore b/playground/pkce/.gitignore similarity index 100% rename from playground/.gitignore rename to playground/pkce/.gitignore diff --git a/playground/README.md b/playground/pkce/README.md similarity index 100% rename from playground/README.md rename to playground/pkce/README.md diff --git a/playground/bun.lock b/playground/pkce/bun.lock similarity index 100% rename from playground/bun.lock rename to playground/pkce/bun.lock diff --git a/playground/package.json b/playground/pkce/package.json similarity index 100% rename from playground/package.json rename to playground/pkce/package.json diff --git a/playground/src/PKCEDowngradeExpress.js b/playground/pkce/src/PKCEDowngradeExpress.js similarity index 100% rename from playground/src/PKCEDowngradeExpress.js rename to playground/pkce/src/PKCEDowngradeExpress.js diff --git a/playground/tsconfig.json b/playground/pkce/tsconfig.json similarity index 100% rename from playground/tsconfig.json rename to playground/pkce/tsconfig.json From 5042a108d87b40b245c6f800fa033e5639c3de1a Mon Sep 17 00:00:00 2001 From: "tv0924@icloud.com" Date: Wed, 28 May 2025 14:56:14 +0900 Subject: [PATCH 3/6] [Add] csrf --- playground/csrf/index.js | 0 playground/csrf/package-lock.json | 816 ++++++++++++++++++++++++++++++ playground/csrf/package.json | 14 + 3 files changed, 830 insertions(+) create mode 100644 playground/csrf/index.js create mode 100644 playground/csrf/package-lock.json create mode 100644 playground/csrf/package.json diff --git a/playground/csrf/index.js b/playground/csrf/index.js new file mode 100644 index 0000000..e69de29 diff --git a/playground/csrf/package-lock.json b/playground/csrf/package-lock.json new file mode 100644 index 0000000..c676398 --- /dev/null +++ b/playground/csrf/package-lock.json @@ -0,0 +1,816 @@ +{ + "name": "csrf", + "version": "1.0.0", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "csrf", + "version": "1.0.0", + "license": "ISC", + "dependencies": { + "express": "^5.1.0" + } + }, + "node_modules/accepts": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/accepts/-/accepts-2.0.0.tgz", + "integrity": "sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng==", + "license": "MIT", + "dependencies": { + "mime-types": "^3.0.0", + "negotiator": "^1.0.0" + }, + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/body-parser": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-2.2.0.tgz", + "integrity": "sha512-02qvAaxv8tp7fBa/mw1ga98OGm+eCbqzJOKoRt70sLmfEEi+jyBYVTDGfCL/k06/4EMk/z01gCe7HoCH/f2LTg==", + "license": "MIT", + "dependencies": { + "bytes": "^3.1.2", + "content-type": "^1.0.5", + "debug": "^4.4.0", + "http-errors": "^2.0.0", + "iconv-lite": "^0.6.3", + "on-finished": "^2.4.1", + "qs": "^6.14.0", + "raw-body": "^3.0.0", + "type-is": "^2.0.0" + }, + "engines": { + "node": ">=18" + } + }, + "node_modules/bytes": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz", + "integrity": "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/call-bind-apply-helpers": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz", + "integrity": "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==", + "license": "MIT", + "dependencies": { + "es-errors": "^1.3.0", + "function-bind": "^1.1.2" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/call-bound": { + "version": "1.0.4", + "resolved": "https://registry.npmjs.org/call-bound/-/call-bound-1.0.4.tgz", + "integrity": "sha512-+ys997U96po4Kx/ABpBCqhA9EuxJaQWDQg7295H4hBphv3IZg0boBKuwYpt4YXp6MZ5AmZQnU/tyMTlRpaSejg==", + "license": "MIT", + "dependencies": { + "call-bind-apply-helpers": "^1.0.2", + "get-intrinsic": "^1.3.0" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/content-disposition": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-1.0.0.tgz", + "integrity": "sha512-Au9nRL8VNUut/XSzbQA38+M78dzP4D+eqg3gfJHMIHHYa3bg067xj1KxMUWj+VULbiZMowKngFFbKczUrNJ1mg==", + "license": "MIT", + "dependencies": { + "safe-buffer": "5.2.1" + }, + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/content-type": { + "version": "1.0.5", + "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.5.tgz", + "integrity": "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/cookie": { + "version": "0.7.2", + "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz", + "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/cookie-signature": { + "version": "1.2.2", + "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.2.2.tgz", + "integrity": "sha512-D76uU73ulSXrD1UXF4KE2TMxVVwhsnCgfAyTg9k8P6KGZjlXKrOLe4dJQKI3Bxi5wjesZoFXJWElNWBjPZMbhg==", + "license": "MIT", + "engines": { + "node": ">=6.6.0" + } + }, + "node_modules/debug": { + "version": "4.4.1", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.1.tgz", + "integrity": "sha512-KcKCqiftBJcZr++7ykoDIEwSa3XWowTfNPo92BYxjXiyYEVrUQh2aLyhxBCwww+heortUFxEJYcRzosstTEBYQ==", + "license": "MIT", + "dependencies": { + "ms": "^2.1.3" + }, + "engines": { + "node": ">=6.0" + }, + "peerDependenciesMeta": { + "supports-color": { + "optional": true + } + } + }, + "node_modules/depd": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz", + "integrity": "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/dunder-proto": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz", + "integrity": "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==", + "license": "MIT", + "dependencies": { + "call-bind-apply-helpers": "^1.0.1", + "es-errors": "^1.3.0", + "gopd": "^1.2.0" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/ee-first": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz", + "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==", + "license": "MIT" + }, + "node_modules/encodeurl": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz", + "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/es-define-property": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz", + "integrity": "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/es-errors": { + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz", + "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/es-object-atoms": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.1.1.tgz", + "integrity": "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==", + "license": "MIT", + "dependencies": { + "es-errors": "^1.3.0" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/escape-html": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz", + "integrity": "sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow==", + "license": "MIT" + }, + "node_modules/etag": { + "version": "1.8.1", + "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz", + "integrity": "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/express": { + "version": "5.1.0", + "resolved": "https://registry.npmjs.org/express/-/express-5.1.0.tgz", + "integrity": "sha512-DT9ck5YIRU+8GYzzU5kT3eHGA5iL+1Zd0EutOmTE9Dtk+Tvuzd23VBU+ec7HPNSTxXYO55gPV/hq4pSBJDjFpA==", + "license": "MIT", + "dependencies": { + "accepts": "^2.0.0", + "body-parser": "^2.2.0", + "content-disposition": "^1.0.0", + "content-type": "^1.0.5", + "cookie": "^0.7.1", + "cookie-signature": "^1.2.1", + "debug": "^4.4.0", + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "etag": "^1.8.1", + "finalhandler": "^2.1.0", + "fresh": "^2.0.0", + "http-errors": "^2.0.0", + "merge-descriptors": "^2.0.0", + "mime-types": "^3.0.0", + "on-finished": "^2.4.1", + "once": "^1.4.0", + "parseurl": "^1.3.3", + "proxy-addr": "^2.0.7", + "qs": "^6.14.0", + "range-parser": "^1.2.1", + "router": "^2.2.0", + "send": "^1.1.0", + "serve-static": "^2.2.0", + "statuses": "^2.0.1", + "type-is": "^2.0.1", + "vary": "^1.1.2" + }, + "engines": { + "node": ">= 18" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/finalhandler": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-2.1.0.tgz", + "integrity": "sha512-/t88Ty3d5JWQbWYgaOGCCYfXRwV1+be02WqYYlL6h0lEiUAMPM8o8qKGO01YIkOHzka2up08wvgYD0mDiI+q3Q==", + "license": "MIT", + "dependencies": { + "debug": "^4.4.0", + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "on-finished": "^2.4.1", + "parseurl": "^1.3.3", + "statuses": "^2.0.1" + }, + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/forwarded": { + "version": "0.2.0", + "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.2.0.tgz", + "integrity": "sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/fresh": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/fresh/-/fresh-2.0.0.tgz", + "integrity": "sha512-Rx/WycZ60HOaqLKAi6cHRKKI7zxWbJ31MhntmtwMoaTeF7XFH9hhBp8vITaMidfljRQ6eYWCKkaTK+ykVJHP2A==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/function-bind": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", + "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==", + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/get-intrinsic": { + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.3.0.tgz", + "integrity": "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==", + "license": "MIT", + "dependencies": { + "call-bind-apply-helpers": "^1.0.2", + "es-define-property": "^1.0.1", + "es-errors": "^1.3.0", + "es-object-atoms": "^1.1.1", + "function-bind": "^1.1.2", + "get-proto": "^1.0.1", + "gopd": "^1.2.0", + "has-symbols": "^1.1.0", + "hasown": "^2.0.2", + "math-intrinsics": "^1.1.0" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/get-proto": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/get-proto/-/get-proto-1.0.1.tgz", + "integrity": "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==", + "license": "MIT", + "dependencies": { + "dunder-proto": "^1.0.1", + "es-object-atoms": "^1.0.0" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/gopd": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz", + "integrity": "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/has-symbols": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.1.0.tgz", + "integrity": "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/hasown": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz", + "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==", + "license": "MIT", + "dependencies": { + "function-bind": "^1.1.2" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/http-errors": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.0.tgz", + "integrity": "sha512-FtwrG/euBzaEjYeRqOgly7G0qviiXoJWnvEH2Z1plBdXgbyjv34pHTSb9zoeHMyDy33+DWy5Wt9Wo+TURtOYSQ==", + "license": "MIT", + "dependencies": { + "depd": "2.0.0", + "inherits": "2.0.4", + "setprototypeof": "1.2.0", + "statuses": "2.0.1", + "toidentifier": "1.0.1" + }, + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/iconv-lite": { + "version": "0.6.3", + "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.6.3.tgz", + "integrity": "sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw==", + "license": "MIT", + "dependencies": { + "safer-buffer": ">= 2.1.2 < 3.0.0" + }, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/inherits": { + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", + "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==", + "license": "ISC" + }, + "node_modules/ipaddr.js": { + "version": "1.9.1", + "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz", + "integrity": "sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==", + "license": "MIT", + "engines": { + "node": ">= 0.10" + } + }, + "node_modules/is-promise": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/is-promise/-/is-promise-4.0.0.tgz", + "integrity": "sha512-hvpoI6korhJMnej285dSg6nu1+e6uxs7zG3BYAm5byqDsgJNWwxzM6z6iZiAgQR4TJ30JmBTOwqZUw3WlyH3AQ==", + "license": "MIT" + }, + "node_modules/math-intrinsics": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz", + "integrity": "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/media-typer": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-1.1.0.tgz", + "integrity": "sha512-aisnrDP4GNe06UcKFnV5bfMNPBUw4jsLGaWwWfnH3v02GnBuXX2MCVn5RbrWo0j3pczUilYblq7fQ7Nw2t5XKw==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/merge-descriptors": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-2.0.0.tgz", + "integrity": "sha512-Snk314V5ayFLhp3fkUREub6WtjBfPdCPY1Ln8/8munuLuiYhsABgBVWsozAG+MWMbVEvcdcpbi9R7ww22l9Q3g==", + "license": "MIT", + "engines": { + "node": ">=18" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/mime-db": { + "version": "1.54.0", + "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.54.0.tgz", + "integrity": "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/mime-types": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-3.0.1.tgz", + "integrity": "sha512-xRc4oEhT6eaBpU1XF7AjpOFD+xQmXNB5OVKwp4tqCuBpHLS/ZbBDrc07mYTDqVMg6PfxUjjNp85O6Cd2Z/5HWA==", + "license": "MIT", + "dependencies": { + "mime-db": "^1.54.0" + }, + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/ms": { + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", + "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==", + "license": "MIT" + }, + "node_modules/negotiator": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-1.0.0.tgz", + "integrity": "sha512-8Ofs/AUQh8MaEcrlq5xOX0CQ9ypTF5dl78mjlMNfOK08fzpgTHQRQPBxcPlEtIw0yRpws+Zo/3r+5WRby7u3Gg==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/object-inspect": { + "version": "1.13.4", + "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.4.tgz", + "integrity": "sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/on-finished": { + "version": "2.4.1", + "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.4.1.tgz", + "integrity": "sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg==", + "license": "MIT", + "dependencies": { + "ee-first": "1.1.1" + }, + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/once": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", + "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", + "license": "ISC", + "dependencies": { + "wrappy": "1" + } + }, + "node_modules/parseurl": { + "version": "1.3.3", + "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz", + "integrity": "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/path-to-regexp": { + "version": "8.2.0", + "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.2.0.tgz", + "integrity": "sha512-TdrF7fW9Rphjq4RjrW0Kp2AW0Ahwu9sRGTkS6bvDi0SCwZlEZYmcfDbEsTz8RVk0EHIS/Vd1bv3JhG+1xZuAyQ==", + "license": "MIT", + "engines": { + "node": ">=16" + } + }, + "node_modules/proxy-addr": { + "version": "2.0.7", + "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz", + "integrity": "sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg==", + "license": "MIT", + "dependencies": { + "forwarded": "0.2.0", + "ipaddr.js": "1.9.1" + }, + "engines": { + "node": ">= 0.10" + } + }, + "node_modules/qs": { + "version": "6.14.0", + "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.0.tgz", + "integrity": "sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w==", + "license": "BSD-3-Clause", + "dependencies": { + "side-channel": "^1.1.0" + }, + "engines": { + "node": ">=0.6" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/range-parser": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz", + "integrity": "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/raw-body": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-3.0.0.tgz", + "integrity": "sha512-RmkhL8CAyCRPXCE28MMH0z2PNWQBNk2Q09ZdxM9IOOXwxwZbN+qbWaatPkdkWIKL2ZVDImrN/pK5HTRz2PcS4g==", + "license": "MIT", + "dependencies": { + "bytes": "3.1.2", + "http-errors": "2.0.0", + "iconv-lite": "0.6.3", + "unpipe": "1.0.0" + }, + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/router": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/router/-/router-2.2.0.tgz", + "integrity": "sha512-nLTrUKm2UyiL7rlhapu/Zl45FwNgkZGaCpZbIHajDYgwlJCOzLSk+cIPAnsEqV955GjILJnKbdQC1nVPz+gAYQ==", + "license": "MIT", + "dependencies": { + "debug": "^4.4.0", + "depd": "^2.0.0", + "is-promise": "^4.0.0", + "parseurl": "^1.3.3", + "path-to-regexp": "^8.0.0" + }, + "engines": { + "node": ">= 18" + } + }, + "node_modules/safe-buffer": { + "version": "5.2.1", + "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz", + "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ], + "license": "MIT" + }, + "node_modules/safer-buffer": { + "version": "2.1.2", + "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", + "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==", + "license": "MIT" + }, + "node_modules/send": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/send/-/send-1.2.0.tgz", + "integrity": "sha512-uaW0WwXKpL9blXE2o0bRhoL2EGXIrZxQ2ZQ4mgcfoBxdFmQold+qWsD2jLrfZ0trjKL6vOw0j//eAwcALFjKSw==", + "license": "MIT", + "dependencies": { + "debug": "^4.3.5", + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "etag": "^1.8.1", + "fresh": "^2.0.0", + "http-errors": "^2.0.0", + "mime-types": "^3.0.1", + "ms": "^2.1.3", + "on-finished": "^2.4.1", + "range-parser": "^1.2.1", + "statuses": "^2.0.1" + }, + "engines": { + "node": ">= 18" + } + }, + "node_modules/serve-static": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-2.2.0.tgz", + "integrity": "sha512-61g9pCh0Vnh7IutZjtLGGpTA355+OPn2TyDv/6ivP2h/AdAVX9azsoxmg2/M6nZeQZNYBEwIcsne1mJd9oQItQ==", + "license": "MIT", + "dependencies": { + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "parseurl": "^1.3.3", + "send": "^1.2.0" + }, + "engines": { + "node": ">= 18" + } + }, + "node_modules/setprototypeof": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.2.0.tgz", + "integrity": "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==", + "license": "ISC" + }, + "node_modules/side-channel": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.1.0.tgz", + "integrity": "sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw==", + "license": "MIT", + "dependencies": { + "es-errors": "^1.3.0", + "object-inspect": "^1.13.3", + "side-channel-list": "^1.0.0", + "side-channel-map": "^1.0.1", + "side-channel-weakmap": "^1.0.2" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/side-channel-list": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/side-channel-list/-/side-channel-list-1.0.0.tgz", + "integrity": "sha512-FCLHtRD/gnpCiCHEiJLOwdmFP+wzCmDEkc9y7NsYxeF4u7Btsn1ZuwgwJGxImImHicJArLP4R0yX4c2KCrMrTA==", + "license": "MIT", + "dependencies": { + "es-errors": "^1.3.0", + "object-inspect": "^1.13.3" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/side-channel-map": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/side-channel-map/-/side-channel-map-1.0.1.tgz", + "integrity": "sha512-VCjCNfgMsby3tTdo02nbjtM/ewra6jPHmpThenkTYh8pG9ucZ/1P8So4u4FGBek/BjpOVsDCMoLA/iuBKIFXRA==", + "license": "MIT", + "dependencies": { + "call-bound": "^1.0.2", + "es-errors": "^1.3.0", + "get-intrinsic": "^1.2.5", + "object-inspect": "^1.13.3" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/side-channel-weakmap": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/side-channel-weakmap/-/side-channel-weakmap-1.0.2.tgz", + "integrity": "sha512-WPS/HvHQTYnHisLo9McqBHOJk2FkHO/tlpvldyrnem4aeQp4hai3gythswg6p01oSoTl58rcpiFAjF2br2Ak2A==", + "license": "MIT", + "dependencies": { + "call-bound": "^1.0.2", + "es-errors": "^1.3.0", + "get-intrinsic": "^1.2.5", + "object-inspect": "^1.13.3", + "side-channel-map": "^1.0.1" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/statuses": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.1.tgz", + "integrity": "sha512-RwNA9Z/7PrK06rYLIzFMlaF+l73iwpzsqRIFgbMLbTcLD6cOao82TaWefPXQvB2fOC4AjuYSEndS7N/mTCbkdQ==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/toidentifier": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.1.tgz", + "integrity": "sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA==", + "license": "MIT", + "engines": { + "node": ">=0.6" + } + }, + "node_modules/type-is": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/type-is/-/type-is-2.0.1.tgz", + "integrity": "sha512-OZs6gsjF4vMp32qrCbiVSkrFmXtG/AZhY3t0iAMrMBiAZyV9oALtXO8hsrHbMXF9x6L3grlFuwW2oAz7cav+Gw==", + "license": "MIT", + "dependencies": { + "content-type": "^1.0.5", + "media-typer": "^1.1.0", + "mime-types": "^3.0.0" + }, + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/unpipe": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz", + "integrity": "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/vary": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz", + "integrity": "sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/wrappy": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", + "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==", + "license": "ISC" + } + } +} diff --git a/playground/csrf/package.json b/playground/csrf/package.json new file mode 100644 index 0000000..b1dd086 --- /dev/null +++ b/playground/csrf/package.json @@ -0,0 +1,14 @@ +{ + "name": "csrf", + "version": "1.0.0", + "main": "index.js", + "scripts": { + "test": "echo \"Error: no test specified\" && exit 1" + }, + "author": "", + "license": "ISC", + "description": "", + "dependencies": { + "express": "^5.1.0" + } +} From f775282e91503025d73b41799e7b4e04e31485aa Mon Sep 17 00:00:00 2001 From: "tv0924@icloud.com" Date: Wed, 28 May 2025 15:01:53 +0900 Subject: [PATCH 4/6] [Add] csrf --- packages/backend/src/index.ts | 62 ++++++++++------------------------- pnpm-lock.yaml | 16 +++++++++ 2 files changed, 34 insertions(+), 44 deletions(-) diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts index 8a8ca26..3d76481 100644 --- a/packages/backend/src/index.ts +++ b/packages/backend/src/index.ts @@ -1,41 +1,13 @@ import type { SDK, DefineAPI } from "caido:plugin"; -import type { Request } from "caido:utils"; -<<<<<<< HEAD -import { ImplicitGrantController } from "./controller/implictGrant"; -import { AuthZCodeGrantController } from "./controller/authZCodeGrant"; -import { PKCECheck } from "./controller/PKCECheck"; - -export type API = DefineAPI<{}>; - -const implicitGrantController = new ImplicitGrantController(); -const authZCodeGrantController = new AuthZCodeGrantController(); -const pkceCheck = new PKCECheck(); - -// function matchSSORequest(req: Request): boolean { -// const raw = req.getRaw().toString(); - -// // 조건 3: Raw request에 SAMLRequest 또는 SAMLResponse 포함 -// if (raw.includes("SAMLRequest=") || raw.includes("SAMLResponse=")) { -// return true; -// } - -// return false; -// } - -// function matchAccessTokenResponse(resp: Response): boolean { -// const raw = resp.getRaw().toString(); - -// const match = /"access_token"\s*:\s*"([^"]+)"/.exec(raw); -// return !!match; -// } -======= +import type { Request, Response } from "caido:utils"; // import { ImplicitGrantController } from "./controller/implictGrant"; // import { AuthZCodeGrantController } from "./controller/authZCodeGrant"; import { CsrfCheck } from "./controller/csrfCheck"; +import { PKCECheck } from "./controller/PKCECheck"; export type API = DefineAPI<{}>; const csrfCheck = new CsrfCheck(); ->>>>>>> 8de17eb (csrf(state) 관련 취약점 탐지 기능 추가) +const pkceCheck = new PKCECheck(); export function init(sdk: SDK) { // sdk.events.onInterceptRequest(async (sdk, req: Request) => { @@ -51,21 +23,23 @@ export function init(sdk: SDK) { // } // }); - sdk.events.onInterceptResponse(async (sdk, req: Request, resp) => { - const funcList = [csrfCheck.checker(sdk, req, resp)]; + sdk.events.onInterceptResponse( + async (sdk: SDK, {}>, req: Request, resp: Response) => { + const funcList: Promise[] = [ + csrfCheck.checker(sdk, req, resp), + ]; - let result = await Promise.all(funcList); + let result = await Promise.all(funcList); + if (result) { + await sdk.findings.create({ + title: "Possible SSO Response Detected", + description: `SSO-related parameters detected in response:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`, + request: req, + reporter: "", + }); + } - if (result) { await pkceCheck.test(sdk, req); - - await sdk.findings.create({ - title: "Possible SSO Response Detected", - description: `SSO-related parameters detected in response:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`, - request: req, - reporter: "", - }); } - - }); + ); } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 67de64e..83609d4 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -11,6 +11,9 @@ importers: '@caido-community/dev': specifier: ^0.1.3 version: 0.1.5(postcss@8.5.3)(typescript@5.5.4) + '@caido/sdk-backend': + specifier: ^0.48.1 + version: 0.48.1 typescript: specifier: 5.5.4 version: 5.5.4 @@ -34,9 +37,15 @@ packages: '@caido/quickjs-types@0.17.2': resolution: {integrity: sha512-5kcucGORMNEbcdU91yKLYZG/TFDqsO6XmCZ1TnU6V48E61mmqrJg6kjrfOFP1WOugDm+ZcGd/Su3p3XkFXfaPg==} + '@caido/quickjs-types@0.18.0': + resolution: {integrity: sha512-hRXUVdDvlhEhvkBoWWytoVS2j1KDVZa8dx2Q/KvWUQTR57U8EMSYE9iFgvPhu78gS8z+RF42Zcb7moNx4SDMlw==} + '@caido/sdk-backend@0.46.0': resolution: {integrity: sha512-peUKW/4Nrw9WVxIahc+6KrVtxA7vsbpuJqOoBxudxq7tQJ+cV9IEqzvYoFFo8KlnrTkeUQUJvd0W4WsM3HgxEg==} + '@caido/sdk-backend@0.48.1': + resolution: {integrity: sha512-JvFeOlSqAKbj3OenBn0LPtCNaOV0x6YtaAQijpvYfBJK32Nvbf924Z10bFVCu+Clc5A1qr7HcAvJ/8B/aRikWA==} + '@caido/sdk-shared@0.1.1': resolution: {integrity: sha512-JAV5ajUqxZdXYPTmDEvIKBZon8I5uHq44ATj0Nj3BVpllRDUGY9kcBd+PXMD50+3lv1CvhR3/f6q24T0+4aVJQ==} @@ -1095,11 +1104,18 @@ snapshots: '@caido/quickjs-types@0.17.2': {} + '@caido/quickjs-types@0.18.0': {} + '@caido/sdk-backend@0.46.0': dependencies: '@caido/quickjs-types': 0.17.2 '@caido/sdk-shared': 0.1.1 + '@caido/sdk-backend@0.48.1': + dependencies: + '@caido/quickjs-types': 0.18.0 + '@caido/sdk-shared': 0.1.1 + '@caido/sdk-shared@0.1.1': {} '@esbuild/aix-ppc64@0.24.2': From ef1d8f40b35b2e397c55a4a0ee556b3f6e1dc989 Mon Sep 17 00:00:00 2001 From: "tv0924@icloud.com" Date: Wed, 28 May 2025 16:49:48 +0900 Subject: [PATCH 5/6] [Update] feature --- dist/plugin_package.zip | Bin 11096 -> 15097 bytes packages/backend/src/controller/csrfCheck.ts | 11 +- packages/backend/src/index.ts | 15 +- packages/backend/src/utils/http.ts | 49 ++- playground/csrf/index.js | 65 ++++ playground/csrf/package-lock.json | 351 +++++++++++++++++++ playground/csrf/package.json | 9 +- 7 files changed, 464 insertions(+), 36 deletions(-) diff --git a/dist/plugin_package.zip b/dist/plugin_package.zip index a321b3b7a1ce78282a403d57a664b8d3f0a1ed8b..b24f0ab51b884d0bd98f2c5fc67f6a3aa4974095 100644 GIT binary patch delta 4264 zcmcZ+_Op~Hz?+$civa}I+D_zAVOndu(MXrEJ~YTv;q{a$Z}v`kJ!PfB+u1D&Z`yiZ zui5ct-h|f+=P111-0*hhjJH!~yzZK!@OJu|x4nB5-cDWdreg+|f`WpUf>ka(~-B4$|o-hYV zD@dn4mx4k{YI1%`s$*V?Pkwo7kp|c)nhMn*_bHSVRYF+`3J^P>%0q)Zo%3@G@&ocx z^Gcw4^h)xK4qte2CTmtK;gV5eZ9pr!^9i#CW=utzYhAiBZf2l5V|f`S5)*^>+S zG$zOK@zjGH1h-Pr7Gf!~n-oyu4`d3CSOiBR%qVa$LKG_~pvNCX9Gnys^Wctx#5F{& z7VK^iyLR(LzK`OZiRFozB?`qU*^}?6D|03n7o{nbmFDD4meuf)E=?^i(MwM)@l7qs z$WPJGtW{8{E=nx~2~V!k(9qF=8&;HBkY7}iT4bf51U3T3SAwdj)ttOWO=EJbICp)3 zx3jBrMrv}lUP&=mW-dsdLbXC#YDsd2jzSQ`bcMuX1viigj9;seR+OKspp=}LnUZgn zQBqQ%WX)BUSfl_qO~FaSpC`E%@;gVmTmtK^Zk_z@* ztb$*Di9(`+yK4x@3Q&;gDFkO{7H||~=B4W?X}!<1<~=z8HqWdWSa_B zh$<8h@rA8YEW%@osFvxamZjDgRcdH}%Q{U3TRVlq($u0#z0ADioYIukVyFaCUMo(? zCL#bpaR>4fIF1y+rl*#q78NVxW)>HN0s$Nz;NW0}h6glqN{ez3F%w#p11qjTfnK7J zS?phsn&;`FV2kchrQ+oLf>hi5g4Dds6eUfCni>ohnJMul`Pr#?O3-`+F%l9=zKQjq z!VqR`E~seK(8nI28qslTv09q?D8|5J!WX0!?mnyr*`k>MN^*+zFo%HLQB$L!h-xCK zNf6cP3i(9}5c9Fb03Ifz8iQ4s;Gz~H4UWTT!&qnxgW?Aw0oG@0tDsbnlbD%DQn}!ioE@ux8Y|Eos*qW% zpbj=r9a2t!^93YUFd`+Hm`H&X+DPW&jS~#jpeP9gm20pxlUb}#oLZt#k`Hqy!DvW< zm5AUPCABCqDKjUtq!K+g;L1`0LFEoS+Z3f1v;G45((WucM%(q^XBPu`Lc& z(e`SwD)kV(kdhHn5Fp$V3NC{Zz!e^-f&dpodc_4fnI#%ZR{Hu%n$ZTawO0E2a1|c; z#U&b=wN`L}fczqm0D_-blA)nlYp+rbv8FyTB^Bc5+60IrkQ;Om2Spd97W)@vrf23Q z=78$4Vt6%^602aV0LiNXMftgz#i@FUIXN29&>B|(Ql)C-rIw>qr5dG0IXVi}pjfTX z$WO6S09S4bwVIlU+8kUNW9o#s8sz9uxEZKMK<$R*83hHXCzA40DiOW_@j%|F2UnK_ z{ect$dL^k9B^pRBElNcS5U4B;M--PNmXsE|7M6muJ;=~{Xt?S@q`*x_R0AOrkhp<) z29$k0^PKWaG8AkTKwg1)3{hb!fz;S4X@Z)NAQd3bLi~!NramRr7Lmh21q{SKh#S?^ zz$FF5Dn!W-b4E#KNlvPQEuuCAmCw#Wo*|yjjy_n*XoMR;SvUYxbk&1G6H+Q5X+$rr zv1kPAgM|vrK}D%)sYR)I$>@#(HP(u)^z|XNvR+N8 z`9%tFxDmcc2DP^p(h@UsP<#S%TX0EHW?nkjz}f_;tq{v##@c|)#n;Y-Gy)K|!NLsO z$`zCrpX?|uGx>^|mISE5UXYy(X(5BUVX2S?#N@AP_N?G+JK02CkwXDmtW8c=S4xG& zASC|ay7gd3@NuG9)hzk*9aAu}(tgsaw?E5MtbBkuT%T^1G$3?K{{ zG2mceU|4IrnO$=RBhy;j$qThi_}1F)i9#rx{8-Dt6(pn?8q^!h$iM)?yr6*wIG$s{ jz>u4mmzf6YE@c(x=LLAPvVmlo8JHQ?GcYiiSb=x|DY}2~ delta 557 zcmexadLxV{z?+$civa{)YfR)(VS25x(MXqZ^IoPBM%JRla_`j1j9j9VQ~5K&=RG-IM2E8^ zu_!&YL{p)9avZ+_YidbpQQqX~{BpjEwzdjo`I#vS1`29w3T25orK!;dv3fbFdFdq? z3U&$x3ifbO1uKQT(wrP?E(Iv4g|mtvCcfp@*nC3ZmAE8?uTYd)T$)n?(NL?9np2!Q z`J9~e, {}>, request: Request, response: Response - ): Promise { + ): Promise { let result = ``; // 쿼리에 state 파라미터가 없으면 CSRF 위험 @@ -170,9 +170,12 @@ export class CsrfCheck { // } if (result) { - return result; // CSRF risk detected - } else { - return 0; // No CSRF risk detected + await sdk.findings.create({ + title: "csrf vuln", + description: `SSO-related parameters detected in response:\n\n${request.getMethod()} ${request.getUrl()} : ${result}`, + request, + reporter: "csrf reporter", + }); } } } diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts index 3d76481..dc44468 100644 --- a/packages/backend/src/index.ts +++ b/packages/backend/src/index.ts @@ -25,20 +25,7 @@ export function init(sdk: SDK) { sdk.events.onInterceptResponse( async (sdk: SDK, {}>, req: Request, resp: Response) => { - const funcList: Promise[] = [ - csrfCheck.checker(sdk, req, resp), - ]; - - let result = await Promise.all(funcList); - if (result) { - await sdk.findings.create({ - title: "Possible SSO Response Detected", - description: `SSO-related parameters detected in response:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`, - request: req, - reporter: "", - }); - } - + await csrfCheck.checker(sdk, req, resp); await pkceCheck.test(sdk, req); } ); diff --git a/packages/backend/src/utils/http.ts b/packages/backend/src/utils/http.ts index 91a6527..56a6fe1 100644 --- a/packages/backend/src/utils/http.ts +++ b/packages/backend/src/utils/http.ts @@ -11,6 +11,19 @@ export class HttpUtils { return instance; } + /** + * URI 디코딩 후 소문자로 변환하는 헬퍼 함수 + * @param value - 디코딩하고 소문자로 변환할 문자열 + * @returns 디코딩 및 소문자 변환된 문자열 + */ + decodeAndLower(value: string): string { + try { + return decodeURIComponent(value).toLowerCase(); + } catch { + return value.toLowerCase(); + } + } + /** * 헤더 객체의 키와 값을 전부 소문자로 변환합니다. * @param headers - Record 형태의 헤더 맵 @@ -22,14 +35,12 @@ export class HttpUtils { const result: Record = {}; for (const [rawKey, rawValue] of Object.entries(headers)) { - const key = rawKey.toLowerCase(); + const key = this.decodeAndLower(rawKey); if (Array.isArray(rawValue)) { - // 배열이면 각 요소를 소문자로 - result[key] = rawValue.map((v) => v.toLowerCase()); + result[key] = rawValue.map((v) => this.decodeAndLower(v)); } else { - // 단일 문자열이면 바로 소문자로 - result[key] = rawValue.toLowerCase(); + result[key] = this.decodeAndLower(rawValue); } } @@ -107,23 +118,29 @@ export class HttpUtils { headers: Record, name: string ): string | null { - headers = this.lowerCaseAllHeaders(headers); + const normalized = this.lowerCaseAllHeaders(headers); const target = name.toLowerCase(); - for (const [key, value] of Object.entries(headers)) { - if (key.toLowerCase() === target) { + for (const [key, value] of Object.entries(normalized)) { + if (key === target) { + let rawValue: string | null = null; + if (Array.isArray(value)) { - // 배열 형태일 때 첫 번째 요소가 비어있을 수도 있으니 안전하게 처리 - return value.length > 0 && - value[0] !== undefined && - value[0].length > 0 - ? value[0] - : null; + rawValue = value.length > 0 && value[0] ? value[0] : null; + } else { + rawValue = value.length > 0 ? value : null; + } + + if (rawValue !== null) { + try { + return decodeURIComponent(rawValue); + } catch { + return rawValue; + } } - // 문자열일 때 - return value.length > 0 ? value : null; } } + return null; } diff --git a/playground/csrf/index.js b/playground/csrf/index.js index e69de29..5c7a733 100644 --- a/playground/csrf/index.js +++ b/playground/csrf/index.js @@ -0,0 +1,65 @@ +// app.js +const express = require("express"); +const app = express(); +const port = 8000; + +// 콜백 엔드포인트 (정상 동작 시뮬레이션) +app.get("/callback", (req, res) => { + res.send(` +

Callback Received

+

Query Params:

+ 
${JSON.stringify(req.query, null, 2)}
+ `); +}); + +/** + * 1) state 파라미터를 무시하는 취약한 /authorize 엔드포인트 + * - 클라이언트가 state를 보내도 무시 + * - 리디렉트 시 state를 포함하지 않음 + */ +app.get("/authorize/no-state", (req, res) => { + const clientId = req.query.client_id || "unknown-client"; + const redirectUri = encodeURIComponent( + req.query.redirect_uri || `http://localhost:${port}/callback` + ); + const code = "authcode-12345"; + + // state를 전혀 포함하지 않은 채로 리디렉트 + const location = `${redirectUri}?code=${code}&client_id=${clientId}`; + res.set("Location", location); + res.status(302).send(`Redirecting to ${location}`); +}); + +/** + * 2) 클라이언트가 보낸 state와 다른 값을 넣는 취약한 /authorize 엔드포인트 + * - 클라이언트가 보낸 state를 로그로 확인만 하고, + * 응답 Location에는 'wrong-state'를 삽입 + */ +app.get("/authorize/mismatch-state", (req, res) => { + const clientId = req.query.client_id || "unknown-client"; + const originalState = req.query.state; + const redirectUri = encodeURIComponent( + req.query.redirect_uri || `http://localhost:${port}/callback` + ); + const code = "authcode-67890"; + + console.log(`[VULN] original state from client:`, originalState); + + // 클라이언트 state와 다르게 'wrong-state'를 삽입 + const wrongState = "wrong-state"; + const location = `${redirectUri}?code=${code}&state=${wrongState}&client_id=${clientId}`; + res.set("Location", location); + res.status(302).send(`Redirecting to ${location}`); +}); + +app.listen(port, () => { + console.log( + `Vulnerable OAuth test server listening at http://localhost:${port}` + ); + console.log( + `1) No-State: http://localhost:${port}/authorize/no-state?client_id=abc&redirect_uri=http://localhost:${port}/callback` + ); + console.log( + `2) Mismatch-State: http://localhost:${port}/authorize/mismatch-state?client_id=abc&state=xyz&redirect_uri=http://localhost:${port}/callback` + ); +}); diff --git a/playground/csrf/package-lock.json b/playground/csrf/package-lock.json index c676398..f924d15 100644 --- a/playground/csrf/package-lock.json +++ b/playground/csrf/package-lock.json @@ -10,6 +10,9 @@ "license": "ISC", "dependencies": { "express": "^5.1.0" + }, + "devDependencies": { + "nodemon": "^3.1.10" } }, "node_modules/accepts": { @@ -25,6 +28,40 @@ "node": ">= 0.6" } }, + "node_modules/anymatch": { + "version": "3.1.3", + "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.3.tgz", + "integrity": "sha512-KMReFUr0B4t+D+OBkjR3KYqvocp2XaSzO55UcB6mgQMd3KbcE+mWTyvVV7D/zsdEbNnV6acZUutkiHQXvTr1Rw==", + "dev": true, + "license": "ISC", + "dependencies": { + "normalize-path": "^3.0.0", + "picomatch": "^2.0.4" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/balanced-match": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", + "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==", + "dev": true, + "license": "MIT" + }, + "node_modules/binary-extensions": { + "version": "2.3.0", + "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.3.0.tgz", + "integrity": "sha512-Ceh+7ox5qe7LJuLHoY0feh3pHuUDHAcRUeyL2VYghZwfpkNIy/+8Ocg0a3UuSoYzavmylwuLWQOf3hl0jjMMIw==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=8" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, "node_modules/body-parser": { "version": "2.2.0", "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-2.2.0.tgz", @@ -45,6 +82,30 @@ "node": ">=18" } }, + "node_modules/brace-expansion": { + "version": "1.1.11", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", + "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", + "dev": true, + "license": "MIT", + "dependencies": { + "balanced-match": "^1.0.0", + "concat-map": "0.0.1" + } + }, + "node_modules/braces": { + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz", + "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==", + "dev": true, + "license": "MIT", + "dependencies": { + "fill-range": "^7.1.1" + }, + "engines": { + "node": ">=8" + } + }, "node_modules/bytes": { "version": "3.1.2", "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz", @@ -83,6 +144,38 @@ "url": "https://github.com/sponsors/ljharb" } }, + "node_modules/chokidar": { + "version": "3.6.0", + "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-3.6.0.tgz", + "integrity": "sha512-7VT13fmjotKpGipCW9JEQAusEPE+Ei8nl6/g4FBAmIm0GOOLMua9NDDo/DWp0ZAxCr3cPq5ZpBqmPAQgDda2Pw==", + "dev": true, + "license": "MIT", + "dependencies": { + "anymatch": "~3.1.2", + "braces": "~3.0.2", + "glob-parent": "~5.1.2", + "is-binary-path": "~2.1.0", + "is-glob": "~4.0.1", + "normalize-path": "~3.0.0", + "readdirp": "~3.6.0" + }, + "engines": { + "node": ">= 8.10.0" + }, + "funding": { + "url": "https://paulmillr.com/funding/" + }, + "optionalDependencies": { + "fsevents": "~2.3.2" + } + }, + "node_modules/concat-map": { + "version": "0.0.1", + "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", + "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==", + "dev": true, + "license": "MIT" + }, "node_modules/content-disposition": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-1.0.0.tgz", @@ -264,6 +357,19 @@ "url": "https://opencollective.com/express" } }, + "node_modules/fill-range": { + "version": "7.1.1", + "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz", + "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==", + "dev": true, + "license": "MIT", + "dependencies": { + "to-regex-range": "^5.0.1" + }, + "engines": { + "node": ">=8" + } + }, "node_modules/finalhandler": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-2.1.0.tgz", @@ -299,6 +405,21 @@ "node": ">= 0.8" } }, + "node_modules/fsevents": { + "version": "2.3.3", + "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz", + "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==", + "dev": true, + "hasInstallScript": true, + "license": "MIT", + "optional": true, + "os": [ + "darwin" + ], + "engines": { + "node": "^8.16.0 || ^10.6.0 || >=11.0.0" + } + }, "node_modules/function-bind": { "version": "1.1.2", "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", @@ -345,6 +466,19 @@ "node": ">= 0.4" } }, + "node_modules/glob-parent": { + "version": "5.1.2", + "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz", + "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==", + "dev": true, + "license": "ISC", + "dependencies": { + "is-glob": "^4.0.1" + }, + "engines": { + "node": ">= 6" + } + }, "node_modules/gopd": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz", @@ -357,6 +491,16 @@ "url": "https://github.com/sponsors/ljharb" } }, + "node_modules/has-flag": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-3.0.0.tgz", + "integrity": "sha512-sKJf1+ceQBr4SMkvQnBDNDtf4TXpVhVGateu0t918bl30FnbE2m4vNLX+VWe/dpjlb+HugGYzW7uQXH98HPEYw==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=4" + } + }, "node_modules/has-symbols": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.1.0.tgz", @@ -409,6 +553,13 @@ "node": ">=0.10.0" } }, + "node_modules/ignore-by-default": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/ignore-by-default/-/ignore-by-default-1.0.1.tgz", + "integrity": "sha512-Ius2VYcGNk7T90CppJqcIkS5ooHUZyIQK+ClZfMfMNFEF9VSE73Fq+906u/CWu92x4gzZMWOwfFYckPObzdEbA==", + "dev": true, + "license": "ISC" + }, "node_modules/inherits": { "version": "2.0.4", "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", @@ -424,6 +575,52 @@ "node": ">= 0.10" } }, + "node_modules/is-binary-path": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/is-binary-path/-/is-binary-path-2.1.0.tgz", + "integrity": "sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw==", + "dev": true, + "license": "MIT", + "dependencies": { + "binary-extensions": "^2.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/is-extglob": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz", + "integrity": "sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/is-glob": { + "version": "4.0.3", + "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.3.tgz", + "integrity": "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==", + "dev": true, + "license": "MIT", + "dependencies": { + "is-extglob": "^2.1.1" + }, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/is-number": { + "version": "7.0.0", + "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz", + "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=0.12.0" + } + }, "node_modules/is-promise": { "version": "4.0.0", "resolved": "https://registry.npmjs.org/is-promise/-/is-promise-4.0.0.tgz", @@ -481,6 +678,19 @@ "node": ">= 0.6" } }, + "node_modules/minimatch": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", + "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", + "dev": true, + "license": "ISC", + "dependencies": { + "brace-expansion": "^1.1.7" + }, + "engines": { + "node": "*" + } + }, "node_modules/ms": { "version": "2.1.3", "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", @@ -496,6 +706,45 @@ "node": ">= 0.6" } }, + "node_modules/nodemon": { + "version": "3.1.10", + "resolved": "https://registry.npmjs.org/nodemon/-/nodemon-3.1.10.tgz", + "integrity": "sha512-WDjw3pJ0/0jMFmyNDp3gvY2YizjLmmOUQo6DEBY+JgdvW/yQ9mEeSw6H5ythl5Ny2ytb7f9C2nIbjSxMNzbJXw==", + "dev": true, + "license": "MIT", + "dependencies": { + "chokidar": "^3.5.2", + "debug": "^4", + "ignore-by-default": "^1.0.1", + "minimatch": "^3.1.2", + "pstree.remy": "^1.1.8", + "semver": "^7.5.3", + "simple-update-notifier": "^2.0.0", + "supports-color": "^5.5.0", + "touch": "^3.1.0", + "undefsafe": "^2.0.5" + }, + "bin": { + "nodemon": "bin/nodemon.js" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/nodemon" + } + }, + "node_modules/normalize-path": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz", + "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, "node_modules/object-inspect": { "version": "1.13.4", "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.4.tgz", @@ -547,6 +796,19 @@ "node": ">=16" } }, + "node_modules/picomatch": { + "version": "2.3.1", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz", + "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=8.6" + }, + "funding": { + "url": "https://github.com/sponsors/jonschlinkert" + } + }, "node_modules/proxy-addr": { "version": "2.0.7", "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz", @@ -560,6 +822,13 @@ "node": ">= 0.10" } }, + "node_modules/pstree.remy": { + "version": "1.1.8", + "resolved": "https://registry.npmjs.org/pstree.remy/-/pstree.remy-1.1.8.tgz", + "integrity": "sha512-77DZwxQmxKnu3aR542U+X8FypNzbfJ+C5XQDk3uWjWxn6151aIMGthWYRXTqT1E5oJvg+ljaa2OJi+VfvCOQ8w==", + "dev": true, + "license": "MIT" + }, "node_modules/qs": { "version": "6.14.0", "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.0.tgz", @@ -599,6 +868,19 @@ "node": ">= 0.8" } }, + "node_modules/readdirp": { + "version": "3.6.0", + "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-3.6.0.tgz", + "integrity": "sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==", + "dev": true, + "license": "MIT", + "dependencies": { + "picomatch": "^2.2.1" + }, + "engines": { + "node": ">=8.10.0" + } + }, "node_modules/router": { "version": "2.2.0", "resolved": "https://registry.npmjs.org/router/-/router-2.2.0.tgz", @@ -641,6 +923,19 @@ "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==", "license": "MIT" }, + "node_modules/semver": { + "version": "7.7.2", + "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.2.tgz", + "integrity": "sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA==", + "dev": true, + "license": "ISC", + "bin": { + "semver": "bin/semver.js" + }, + "engines": { + "node": ">=10" + } + }, "node_modules/send": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/send/-/send-1.2.0.tgz", @@ -756,6 +1051,19 @@ "url": "https://github.com/sponsors/ljharb" } }, + "node_modules/simple-update-notifier": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/simple-update-notifier/-/simple-update-notifier-2.0.0.tgz", + "integrity": "sha512-a2B9Y0KlNXl9u/vsW6sTIu9vGEpfKu2wRV6l1H3XEas/0gUIzGzBoP/IouTcUQbm9JWZLH3COxyn03TYlFax6w==", + "dev": true, + "license": "MIT", + "dependencies": { + "semver": "^7.5.3" + }, + "engines": { + "node": ">=10" + } + }, "node_modules/statuses": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.1.tgz", @@ -765,6 +1073,32 @@ "node": ">= 0.8" } }, + "node_modules/supports-color": { + "version": "5.5.0", + "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz", + "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==", + "dev": true, + "license": "MIT", + "dependencies": { + "has-flag": "^3.0.0" + }, + "engines": { + "node": ">=4" + } + }, + "node_modules/to-regex-range": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz", + "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "is-number": "^7.0.0" + }, + "engines": { + "node": ">=8.0" + } + }, "node_modules/toidentifier": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.1.tgz", @@ -774,6 +1108,16 @@ "node": ">=0.6" } }, + "node_modules/touch": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/touch/-/touch-3.1.1.tgz", + "integrity": "sha512-r0eojU4bI8MnHr8c5bNo7lJDdI2qXlWWJk6a9EAFG7vbhTjElYhBVS3/miuE0uOuoLdb8Mc/rVfsmm6eo5o9GA==", + "dev": true, + "license": "ISC", + "bin": { + "nodetouch": "bin/nodetouch.js" + } + }, "node_modules/type-is": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/type-is/-/type-is-2.0.1.tgz", @@ -788,6 +1132,13 @@ "node": ">= 0.6" } }, + "node_modules/undefsafe": { + "version": "2.0.5", + "resolved": "https://registry.npmjs.org/undefsafe/-/undefsafe-2.0.5.tgz", + "integrity": "sha512-WxONCrssBM8TSPRqN5EmsjVrsv4A8X12J4ArBiiayv3DyyG3ZlIg6yysuuSYdZsVz3TKcTg2fd//Ujd4CHV1iA==", + "dev": true, + "license": "MIT" + }, "node_modules/unpipe": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz", diff --git a/playground/csrf/package.json b/playground/csrf/package.json index b1dd086..9c6b2a7 100644 --- a/playground/csrf/package.json +++ b/playground/csrf/package.json @@ -3,12 +3,17 @@ "version": "1.0.0", "main": "index.js", "scripts": { - "test": "echo \"Error: no test specified\" && exit 1" + "test": "echo \"Error: no test specified\" && exit 1", + "start": "nodemon index.js" }, "author": "", "license": "ISC", - "description": "", "dependencies": { "express": "^5.1.0" + }, + "keywords": [], + "description": "", + "devDependencies": { + "nodemon": "^3.1.10" } } From 5fed2eb7d043b3ec4a0cea6dcad93de6e67b2745 Mon Sep 17 00:00:00 2001 From: "tv0924@icloud.com" Date: Sat, 31 May 2025 11:47:52 +0900 Subject: [PATCH 6/6] [Update] index --- dist/plugin_package.zip | Bin 15097 -> 15658 bytes packages/backend/src/index.ts | 29 +++++++++++++++-------------- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/dist/plugin_package.zip b/dist/plugin_package.zip index b24f0ab51b884d0bd98f2c5fc67f6a3aa4974095..28184677ccc0929e907d8d2e3ba3431c8285501f 100644 GIT binary patch delta 2144 zcmexax~hsdz?+$civa|#iSD1stIT{&bpJ-<9h&k%sfDGf#U;T7smThp3TZ|8xe7|j ziJ2++R;4AGImMf0wAdKgi&GPek~0D(M{{YoC+FuCmnama7M5lfrKWhNRu(JRDnu(K z=VYelmBeSJDCsCD6{Qvz;c!Q`*nH6|$1 z>8T|eO2x_f1*uA!_IjCl$vLGdsl^&f`30$YnJG$|3N!CuQvEy>7F0cotMQBXuSX>x(S-R3#E;fy>1-p;NH z&Kar6*{Ma7{~2g)4%c6fDe8dY)s)nn)RI&UCG1vXRSNQ1J*v-A^2_tmixN{(Qvyp< ziz?9rq$EGMq$o2lT?6VPNN^M7)hK5o` zNl8JmlBR;a0+gv>1z{;oUTY}N1~Fjr3q$|<;*@MXkg54Osd_p2=^6#YZd&9GSf5j5_1$ngM6$M5)`ySF$i@JVcjlp4&`83k7?cTY z74lNc6_B!p29naE9H^xV3LwRL#i=Du`6-neQ0Ic#nqVc97fMJ>X5<$Wfl7I#CZ?no z6>Df}YARGuj^o#_hZz8o0i|dig|ft)(p0^y{LDNJP_}^>1wQ zkdh8G!+@eDCAB!YD6^m>Ge6HtAt59q6;#@Rs!N5EdEsqG16PocW@u1vEF%L02=js(2ylGXih&_FF)uSMwYWqtt2jR| Wz?+o~B+Jae%&?w;fg#lf!~+1$aIoY6 delta 1670 zcmZ2g^|O>Wz?+$civa}I+U}XitIWLCcF#uR9h!z|sU^u7ItoFlg{7&*B?^hf3T_|~ z7{68_ttdZNK`A*gGbP_Dqokx@GnW<{qft?6VQFSjYDz$2QDSbff~`WdQgTjaYFk+UU6!CNo7H*ZE}9fRMk3QJRqD)ln+l5T~co2YvCRb@0Om5TX+q^+HoN@981Fgwdb%c~t zQb7(14f1r(&n?K$OU*0MKr$xUFjmugvxWW|h=wnQ0`-BQkb!%uD77FbF*y~Nx4^zq zv)9*AP*T#=!=cy~hpK3MwOAF1R){B)^Ye-)R~z!Eh8E>0*eWEbR2QWd>ZPZagcjv! zXzCRg#7-7A@~ToI4gA$wqPMs-mt3z>^0ku088qIJ|B;}`6B76bjVf98m zR(~LcfL=*zMTrK;sZf`q1PD|Xha-wh5=%;pT?iB@c-uMa69^zu?m^ot8plZ&AOx|!+uWxDx^r6n0gx`y!v zx&}si86~+n%0+3(dc~>9C7Jnodd7N&dKTtN3RVc?QW8rNONtVcvr~)oGE+;^^zw_+ z^;7bb^+B5Ti_((K&5X^!j+}f^SBqOg0qi>+E(L|jJ_gd0-7JNC6w>mG6jZ89i*jo9 zxVR7@st_9FW2K-{jgmNPxwwL0J_Jd^y<3|AHuRpJ+~f)i-pLa!L?#Q%32t6!p~^V< zg5}1^-BxCjamQcmvan!a0AWZy!NI`5u-10Z=37?N89_D0; const csrfCheck = new CsrfCheck(); -const implicitGrantController = new ImplicitGrantController(); -const authZCodeGrantController = new AuthZCodeGrantController(); +// const implicitGrantController = new ImplicitGrantController(); +// const authZCodeGrantController = new AuthZCodeGrantController(); const pkceCheckController = new PKCECheck(); export function init(sdk: SDK) { @@ -29,20 +29,21 @@ export function init(sdk: SDK) { sdk.events.onInterceptResponse( async (sdk: SDK, {}>, req: Request, resp: Response) => { await csrfCheck.checker(sdk, req, resp); - sdk.events.onInterceptRequest(async (sdk, req: Request) => { - const result = - authZCodeGrantController.testReq(req) || - implicitGrantController.testReq(req); - - if (result) { await pkceCheckController.test(sdk, req); + // sdk.events.onInterceptRequest(async (sdk, req: Request) => { + // const result = + // authZCodeGrantController.testReq(req) || + // implicitGrantController.testReq(req); - await sdk.findings.create({ - title: "Possible SSO Request Detected", - description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`, - request: req, - reporter: "", - }); + // if (result) { + // await pkceCheckController.test(sdk, req); + + // await sdk.findings.create({ + // title: "Possible SSO Request Detected", + // description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`, + // request: req, + // reporter: "", + // }); } ); }