[Update] oauth 탐지 로직 정교화

2025-06-02 10:50:11 +09:00 · 2025-06-02 10:50:11 +09:00 · b8b7edb5ac
commit b8b7edb5ac
parent 9ccd1eb7ac
4 changed files with 180 additions and 45 deletions
--- a/packages/backend/src/controller/csrfCheck.ts
+++ b/packages/backend/src/controller/csrfCheck.ts
@ -7,13 +7,13 @@ const httpUtils = new HttpUtils();
 export class CsrfCheck {
  private isTargetUri(uri: string): boolean {
    if (
-      uri.includes("client_id=") &&
-      (uri.includes("response_type=") ||
-        uri.includes("grant_type=") ||
-        uri.includes("redirect_uri=") ||
-        uri.includes("scope=") ||
-        uri.includes("state=") ||
-        uri.includes("nonce="))
+      httpUtils.getQueryParamFromURI(uri, "client_id") &&
+      (httpUtils.getQueryParamFromURI(uri, "response_type") ||
+        httpUtils.getQueryParamFromURI(uri, "grant_type") ||
+        httpUtils.getQueryParamFromURI(uri, "redirect_uri") ||
+        httpUtils.getQueryParamFromURI(uri, "scope") ||
+        httpUtils.getQueryParamFromURI(uri, "state") ||
+        httpUtils.getQueryParamFromURI(uri, "nonce"))
    ) {
      return true;
    }
@ -151,15 +151,25 @@ export class CsrfCheck {
    let result = ``;

    // 쿼리에 state 파라미터가 없으면 CSRF 위험
-    if (this.isOauthUri(request) && !this.isStateInQuery(request)) {
-      result += "CSRF risk: missing state parameter"; // CSRF risk: missing state parameter
+    try {
+      if (this.isOauthUri(request) && !this.isStateInQuery(request)) {
+        result += "CSRF risk: missing state parameter"; // CSRF risk: missing state parameter
+      }
+    } catch (error) {
+      sdk.console.error(`Error checking state in query: ${error}`);
    }

    // location 헤더에 state 파라미터가 없거나, 요청에서 보낸 state와 다르면 CSRF 위험
-    const stateAtResponseLocationHeaderCheck =
-      this.checkStateAtResponseLocationHeader(request, response);
-    if (stateAtResponseLocationHeaderCheck !== 0) {
-      result += `, ${stateAtResponseLocationHeaderCheck.join(", ")}`;
+    try {
+      const stateAtResponseLocationHeaderCheck =
+        this.checkStateAtResponseLocationHeader(request, response);
+      if (stateAtResponseLocationHeaderCheck !== 0) {
+        result += `, ${stateAtResponseLocationHeaderCheck.join(", ")}`;
+      }
+    } catch (error) {
+      sdk.console.error(
+        `Error checking state in response location header: ${error}`
+      );
    }

    // // 처음으로 state를 발급한 요청에서 state 파라미터를 바꿔서 보내기
@ -168,13 +178,19 @@ export class CsrfCheck {
    //   result += `, ${reusedStateCheck.join(", ")}`;
    // }

-    if (result) {
-      await sdk.findings.create({
-        title: "csrf vuln",
-        description: `SSO-related parameters detected in response:\n\n${request.getMethod()} ${request.getUrl()} : ${result}`,
-        request,
-        reporter: "csrf reporter",
-      });
+    result.replace(/^\s*,\s*|\s*$/, ""); // Remove leading/trailing commas
+    try {
+      if (result) {
+        await sdk.findings.create({
+          title: "csrf vuln",
+          description: `SSO-related parameters detected in response:\n\n${request.getMethod()} ${request.getUrl()} : ${result}`,
+          request,
+          reporter: "csrf reporter",
+        });
+        sdk.console.log("qq");
+      }
+    } catch (error) {
+      sdk.console.error(`Error creating finding: ${error}`);
    }
  }
 }