From 12f635c77be748b4c0825fa9e31a60312866e1bf Mon Sep 17 00:00:00 2001 From: imnyang Date: Sun, 25 May 2025 16:59:51 +0900 Subject: [PATCH 01/20] What's happening!! --- bun.lock | 502 ++++++++++++++++++ dist/plugin_package.zip | Bin 2892 -> 7047 bytes package.json | 1 + .../src/controller/PKCEDowngradeCheck.ts | 108 ++++ packages/backend/src/index.ts | 5 + packages/backend/tsconfig.json | 2 +- 6 files changed, 617 insertions(+), 1 deletion(-) create mode 100644 bun.lock create mode 100644 packages/backend/src/controller/PKCEDowngradeCheck.ts diff --git a/bun.lock b/bun.lock new file mode 100644 index 0000000..289e8aa --- /dev/null +++ b/bun.lock @@ -0,0 +1,502 @@ +{ + "lockfileVersion": 1, + "workspaces": { + "": { + "name": "caido-oauth", + "devDependencies": { + "@caido-community/dev": "^0.1.3", + "@caido/sdk-backend": "^0.48.1", + "typescript": "5.5.4", + }, + }, + }, + "packages": { + "@caido-community/dev": ["@caido-community/dev@0.1.6", "", { "dependencies": { "@caido/plugin-manifest": "0.3.0", "chalk": "5.4.1", "chokidar": "4.0.3", "commander": "13.0.0", "express": "5.0.0", "glob": "11.0.1", "jiti": "2.4.2", "jszip": "3.10.1", "tsup": "8.3.5", "vite": "6.0.7", "ws": "8.18.0", "zod": "3.24.1" }, "bin": { "caido-dev": "dist/cli.js" } }, "sha512-WAWmPdEahh4e24sO4crt+nvqZryhKsy4yP5QYGoyUKqEYVAct5S/lI9fHdoIRQPJDSds3ayB6jgMKAlifd8BAg=="], + + "@caido/plugin-manifest": ["@caido/plugin-manifest@0.3.0", "", { "dependencies": { "ajv": "^8.17.0" } }, "sha512-HRGHf65K2sfSdaEUwkCNDlurJ4zL0bOUg/Db4u6CrwjTTzmg2gOzP6SzLRj+69gWmxOm5LUjhInNHaMIRmQkHw=="], + + "@caido/quickjs-types": ["@caido/quickjs-types@0.18.0", "", {}, "sha512-hRXUVdDvlhEhvkBoWWytoVS2j1KDVZa8dx2Q/KvWUQTR57U8EMSYE9iFgvPhu78gS8z+RF42Zcb7moNx4SDMlw=="], + + "@caido/sdk-backend": ["@caido/sdk-backend@0.48.1", "", { "dependencies": { "@caido/quickjs-types": "0.18.0", "@caido/sdk-shared": "^0.1.0" } }, "sha512-JvFeOlSqAKbj3OenBn0LPtCNaOV0x6YtaAQijpvYfBJK32Nvbf924Z10bFVCu+Clc5A1qr7HcAvJ/8B/aRikWA=="], + + "@caido/sdk-shared": ["@caido/sdk-shared@0.1.1", "", {}, "sha512-JAV5ajUqxZdXYPTmDEvIKBZon8I5uHq44ATj0Nj3BVpllRDUGY9kcBd+PXMD50+3lv1CvhR3/f6q24T0+4aVJQ=="], + + "@esbuild/aix-ppc64": ["@esbuild/aix-ppc64@0.24.2", "", { "os": "aix", "cpu": "ppc64" }, "sha512-thpVCb/rhxE/BnMLQ7GReQLLN8q9qbHmI55F4489/ByVg2aQaQ6kbcLb6FHkocZzQhxc4gx0sCk0tJkKBFzDhA=="], + + "@esbuild/android-arm": ["@esbuild/android-arm@0.24.2", "", { "os": "android", "cpu": "arm" }, "sha512-tmwl4hJkCfNHwFB3nBa8z1Uy3ypZpxqxfTQOcHX+xRByyYgunVbZ9MzUUfb0RxaHIMnbHagwAxuTL+tnNM+1/Q=="], + + "@esbuild/android-arm64": ["@esbuild/android-arm64@0.24.2", "", { "os": "android", "cpu": "arm64" }, "sha512-cNLgeqCqV8WxfcTIOeL4OAtSmL8JjcN6m09XIgro1Wi7cF4t/THaWEa7eL5CMoMBdjoHOTh/vwTO/o2TRXIyzg=="], + + "@esbuild/android-x64": ["@esbuild/android-x64@0.24.2", "", { "os": "android", "cpu": "x64" }, "sha512-B6Q0YQDqMx9D7rvIcsXfmJfvUYLoP722bgfBlO5cGvNVb5V/+Y7nhBE3mHV9OpxBf4eAS2S68KZztiPaWq4XYw=="], + + "@esbuild/darwin-arm64": ["@esbuild/darwin-arm64@0.24.2", "", { "os": "darwin", "cpu": "arm64" }, "sha512-kj3AnYWc+CekmZnS5IPu9D+HWtUI49hbnyqk0FLEJDbzCIQt7hg7ucF1SQAilhtYpIujfaHr6O0UHlzzSPdOeA=="], + + "@esbuild/darwin-x64": ["@esbuild/darwin-x64@0.24.2", "", { "os": "darwin", "cpu": "x64" }, "sha512-WeSrmwwHaPkNR5H3yYfowhZcbriGqooyu3zI/3GGpF8AyUdsrrP0X6KumITGA9WOyiJavnGZUwPGvxvwfWPHIA=="], + + "@esbuild/freebsd-arm64": ["@esbuild/freebsd-arm64@0.24.2", "", { "os": "freebsd", "cpu": "arm64" }, "sha512-UN8HXjtJ0k/Mj6a9+5u6+2eZ2ERD7Edt1Q9IZiB5UZAIdPnVKDoG7mdTVGhHJIeEml60JteamR3qhsr1r8gXvg=="], + + "@esbuild/freebsd-x64": ["@esbuild/freebsd-x64@0.24.2", "", { "os": "freebsd", "cpu": "x64" }, "sha512-TvW7wE/89PYW+IevEJXZ5sF6gJRDY/14hyIGFXdIucxCsbRmLUcjseQu1SyTko+2idmCw94TgyaEZi9HUSOe3Q=="], + + "@esbuild/linux-arm": ["@esbuild/linux-arm@0.24.2", "", { "os": "linux", "cpu": "arm" }, "sha512-n0WRM/gWIdU29J57hJyUdIsk0WarGd6To0s+Y+LwvlC55wt+GT/OgkwoXCXvIue1i1sSNWblHEig00GBWiJgfA=="], + + "@esbuild/linux-arm64": ["@esbuild/linux-arm64@0.24.2", "", { "os": "linux", "cpu": "arm64" }, "sha512-7HnAD6074BW43YvvUmE/35Id9/NB7BeX5EoNkK9obndmZBUk8xmJJeU7DwmUeN7tkysslb2eSl6CTrYz6oEMQg=="], + + "@esbuild/linux-ia32": ["@esbuild/linux-ia32@0.24.2", "", { "os": "linux", "cpu": "ia32" }, "sha512-sfv0tGPQhcZOgTKO3oBE9xpHuUqguHvSo4jl+wjnKwFpapx+vUDcawbwPNuBIAYdRAvIDBfZVvXprIj3HA+Ugw=="], + + "@esbuild/linux-loong64": ["@esbuild/linux-loong64@0.24.2", "", { "os": "linux", "cpu": "none" }, "sha512-CN9AZr8kEndGooS35ntToZLTQLHEjtVB5n7dl8ZcTZMonJ7CCfStrYhrzF97eAecqVbVJ7APOEe18RPI4KLhwQ=="], + + "@esbuild/linux-mips64el": ["@esbuild/linux-mips64el@0.24.2", "", { "os": "linux", "cpu": "none" }, "sha512-iMkk7qr/wl3exJATwkISxI7kTcmHKE+BlymIAbHO8xanq/TjHaaVThFF6ipWzPHryoFsesNQJPE/3wFJw4+huw=="], + + "@esbuild/linux-ppc64": ["@esbuild/linux-ppc64@0.24.2", "", { "os": "linux", "cpu": "ppc64" }, "sha512-shsVrgCZ57Vr2L8mm39kO5PPIb+843FStGt7sGGoqiiWYconSxwTiuswC1VJZLCjNiMLAMh34jg4VSEQb+iEbw=="], + + "@esbuild/linux-riscv64": ["@esbuild/linux-riscv64@0.24.2", "", { "os": "linux", "cpu": "none" }, "sha512-4eSFWnU9Hhd68fW16GD0TINewo1L6dRrB+oLNNbYyMUAeOD2yCK5KXGK1GH4qD/kT+bTEXjsyTCiJGHPZ3eM9Q=="], + + "@esbuild/linux-s390x": ["@esbuild/linux-s390x@0.24.2", "", { "os": "linux", "cpu": "s390x" }, "sha512-S0Bh0A53b0YHL2XEXC20bHLuGMOhFDO6GN4b3YjRLK//Ep3ql3erpNcPlEFed93hsQAjAQDNsvcK+hV90FubSw=="], + + "@esbuild/linux-x64": ["@esbuild/linux-x64@0.24.2", "", { "os": "linux", "cpu": "x64" }, "sha512-8Qi4nQcCTbLnK9WoMjdC9NiTG6/E38RNICU6sUNqK0QFxCYgoARqVqxdFmWkdonVsvGqWhmm7MO0jyTqLqwj0Q=="], + + "@esbuild/netbsd-arm64": ["@esbuild/netbsd-arm64@0.24.2", "", { "os": "none", "cpu": "arm64" }, "sha512-wuLK/VztRRpMt9zyHSazyCVdCXlpHkKm34WUyinD2lzK07FAHTq0KQvZZlXikNWkDGoT6x3TD51jKQ7gMVpopw=="], + + "@esbuild/netbsd-x64": ["@esbuild/netbsd-x64@0.24.2", "", { "os": "none", "cpu": "x64" }, "sha512-VefFaQUc4FMmJuAxmIHgUmfNiLXY438XrL4GDNV1Y1H/RW3qow68xTwjZKfj/+Plp9NANmzbH5R40Meudu8mmw=="], + + "@esbuild/openbsd-arm64": ["@esbuild/openbsd-arm64@0.24.2", "", { "os": "openbsd", "cpu": "arm64" }, "sha512-YQbi46SBct6iKnszhSvdluqDmxCJA+Pu280Av9WICNwQmMxV7nLRHZfjQzwbPs3jeWnuAhE9Jy0NrnJ12Oz+0A=="], + + "@esbuild/openbsd-x64": ["@esbuild/openbsd-x64@0.24.2", "", { "os": "openbsd", "cpu": "x64" }, "sha512-+iDS6zpNM6EnJyWv0bMGLWSWeXGN/HTaF/LXHXHwejGsVi+ooqDfMCCTerNFxEkM3wYVcExkeGXNqshc9iMaOA=="], + + "@esbuild/sunos-x64": ["@esbuild/sunos-x64@0.24.2", "", { "os": "sunos", "cpu": "x64" }, "sha512-hTdsW27jcktEvpwNHJU4ZwWFGkz2zRJUz8pvddmXPtXDzVKTTINmlmga3ZzwcuMpUvLw7JkLy9QLKyGpD2Yxig=="], + + "@esbuild/win32-arm64": ["@esbuild/win32-arm64@0.24.2", "", { "os": "win32", "cpu": "arm64" }, "sha512-LihEQ2BBKVFLOC9ZItT9iFprsE9tqjDjnbulhHoFxYQtQfai7qfluVODIYxt1PgdoyQkz23+01rzwNwYfutxUQ=="], + + "@esbuild/win32-ia32": ["@esbuild/win32-ia32@0.24.2", "", { "os": "win32", "cpu": "ia32" }, "sha512-q+iGUwfs8tncmFC9pcnD5IvRHAzmbwQ3GPS5/ceCyHdjXubwQWI12MKWSNSMYLJMq23/IUCvJMS76PDqXe1fxA=="], + + "@esbuild/win32-x64": ["@esbuild/win32-x64@0.24.2", "", { "os": "win32", "cpu": "x64" }, "sha512-7VTgWzgMGvup6aSqDPLiW5zHaxYJGTO4OokMjIlrCtf+VpEL+cXKtCvg723iguPYI5oaUNdS+/V7OU2gvXVWEg=="], + + "@isaacs/cliui": ["@isaacs/cliui@8.0.2", "", { "dependencies": { "string-width": "^5.1.2", "string-width-cjs": "npm:string-width@^4.2.0", "strip-ansi": "^7.0.1", "strip-ansi-cjs": "npm:strip-ansi@^6.0.1", "wrap-ansi": "^8.1.0", "wrap-ansi-cjs": "npm:wrap-ansi@^7.0.0" } }, "sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA=="], + + "@jridgewell/gen-mapping": ["@jridgewell/gen-mapping@0.3.8", "", { "dependencies": { "@jridgewell/set-array": "^1.2.1", "@jridgewell/sourcemap-codec": "^1.4.10", "@jridgewell/trace-mapping": "^0.3.24" } }, "sha512-imAbBGkb+ebQyxKgzv5Hu2nmROxoDOXHh80evxdoXNOrvAnVx7zimzc1Oo5h9RlfV4vPXaE2iM5pOFbvOCClWA=="], + + "@jridgewell/resolve-uri": ["@jridgewell/resolve-uri@3.1.2", "", {}, "sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw=="], + + "@jridgewell/set-array": ["@jridgewell/set-array@1.2.1", "", {}, "sha512-R8gLRTZeyp03ymzP/6Lil/28tGeGEzhx1q2k703KGWRAI1VdvPIXdG70VJc2pAMw3NA6JKL5hhFu1sJX0Mnn/A=="], + + "@jridgewell/sourcemap-codec": ["@jridgewell/sourcemap-codec@1.5.0", "", {}, "sha512-gv3ZRaISU3fjPAgNsriBRqGWQL6quFx04YMPW/zD8XMLsU32mhCCbfbO6KZFLjvYpCZ8zyDEgqsgf+PwPaM7GQ=="], + + "@jridgewell/trace-mapping": ["@jridgewell/trace-mapping@0.3.25", "", { "dependencies": { "@jridgewell/resolve-uri": "^3.1.0", "@jridgewell/sourcemap-codec": "^1.4.14" } }, "sha512-vNk6aEwybGtawWmy/PzwnGDOjCkLWSD2wqvjGGAgOAwCGWySYXfYoxt00IJkTF+8Lb57DwOb3Aa0o9CApepiYQ=="], + + "@pkgjs/parseargs": ["@pkgjs/parseargs@0.11.0", "", {}, "sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg=="], + + "@rollup/rollup-android-arm-eabi": ["@rollup/rollup-android-arm-eabi@4.41.1", "", { "os": "android", "cpu": "arm" }, "sha512-NELNvyEWZ6R9QMkiytB4/L4zSEaBC03KIXEghptLGLZWJ6VPrL63ooZQCOnlx36aQPGhzuOMwDerC1Eb2VmrLw=="], + + "@rollup/rollup-android-arm64": ["@rollup/rollup-android-arm64@4.41.1", "", { "os": "android", "cpu": "arm64" }, "sha512-DXdQe1BJ6TK47ukAoZLehRHhfKnKg9BjnQYUu9gzhI8Mwa1d2fzxA1aw2JixHVl403bwp1+/o/NhhHtxWJBgEA=="], + + "@rollup/rollup-darwin-arm64": ["@rollup/rollup-darwin-arm64@4.41.1", "", { "os": "darwin", "cpu": "arm64" }, "sha512-5afxvwszzdulsU2w8JKWwY8/sJOLPzf0e1bFuvcW5h9zsEg+RQAojdW0ux2zyYAz7R8HvvzKCjLNJhVq965U7w=="], + + "@rollup/rollup-darwin-x64": ["@rollup/rollup-darwin-x64@4.41.1", "", { "os": "darwin", "cpu": "x64" }, "sha512-egpJACny8QOdHNNMZKf8xY0Is6gIMz+tuqXlusxquWu3F833DcMwmGM7WlvCO9sB3OsPjdC4U0wHw5FabzCGZg=="], + + "@rollup/rollup-freebsd-arm64": ["@rollup/rollup-freebsd-arm64@4.41.1", "", { "os": "freebsd", "cpu": "arm64" }, "sha512-DBVMZH5vbjgRk3r0OzgjS38z+atlupJ7xfKIDJdZZL6sM6wjfDNo64aowcLPKIx7LMQi8vybB56uh1Ftck/Atg=="], + + "@rollup/rollup-freebsd-x64": ["@rollup/rollup-freebsd-x64@4.41.1", "", { "os": "freebsd", "cpu": "x64" }, "sha512-3FkydeohozEskBxNWEIbPfOE0aqQgB6ttTkJ159uWOFn42VLyfAiyD9UK5mhu+ItWzft60DycIN1Xdgiy8o/SA=="], + + "@rollup/rollup-linux-arm-gnueabihf": ["@rollup/rollup-linux-arm-gnueabihf@4.41.1", "", { "os": "linux", "cpu": "arm" }, "sha512-wC53ZNDgt0pqx5xCAgNunkTzFE8GTgdZ9EwYGVcg+jEjJdZGtq9xPjDnFgfFozQI/Xm1mh+D9YlYtl+ueswNEg=="], + + "@rollup/rollup-linux-arm-musleabihf": ["@rollup/rollup-linux-arm-musleabihf@4.41.1", "", { "os": "linux", "cpu": "arm" }, "sha512-jwKCca1gbZkZLhLRtsrka5N8sFAaxrGz/7wRJ8Wwvq3jug7toO21vWlViihG85ei7uJTpzbXZRcORotE+xyrLA=="], + + "@rollup/rollup-linux-arm64-gnu": ["@rollup/rollup-linux-arm64-gnu@4.41.1", "", { "os": "linux", "cpu": "arm64" }, "sha512-g0UBcNknsmmNQ8V2d/zD2P7WWfJKU0F1nu0k5pW4rvdb+BIqMm8ToluW/eeRmxCared5dD76lS04uL4UaNgpNA=="], + + "@rollup/rollup-linux-arm64-musl": ["@rollup/rollup-linux-arm64-musl@4.41.1", "", { "os": "linux", "cpu": "arm64" }, "sha512-XZpeGB5TKEZWzIrj7sXr+BEaSgo/ma/kCgrZgL0oo5qdB1JlTzIYQKel/RmhT6vMAvOdM2teYlAaOGJpJ9lahg=="], + + "@rollup/rollup-linux-loongarch64-gnu": ["@rollup/rollup-linux-loongarch64-gnu@4.41.1", "", { "os": "linux", "cpu": "none" }, "sha512-bkCfDJ4qzWfFRCNt5RVV4DOw6KEgFTUZi2r2RuYhGWC8WhCA8lCAJhDeAmrM/fdiAH54m0mA0Vk2FGRPyzI+tw=="], + + "@rollup/rollup-linux-powerpc64le-gnu": ["@rollup/rollup-linux-powerpc64le-gnu@4.41.1", "", { "os": "linux", "cpu": "ppc64" }, "sha512-3mr3Xm+gvMX+/8EKogIZSIEF0WUu0HL9di+YWlJpO8CQBnoLAEL/roTCxuLncEdgcfJcvA4UMOf+2dnjl4Ut1A=="], + + "@rollup/rollup-linux-riscv64-gnu": ["@rollup/rollup-linux-riscv64-gnu@4.41.1", "", { "os": "linux", "cpu": "none" }, "sha512-3rwCIh6MQ1LGrvKJitQjZFuQnT2wxfU+ivhNBzmxXTXPllewOF7JR1s2vMX/tWtUYFgphygxjqMl76q4aMotGw=="], + + "@rollup/rollup-linux-riscv64-musl": ["@rollup/rollup-linux-riscv64-musl@4.41.1", "", { "os": "linux", "cpu": "none" }, "sha512-LdIUOb3gvfmpkgFZuccNa2uYiqtgZAz3PTzjuM5bH3nvuy9ty6RGc/Q0+HDFrHrizJGVpjnTZ1yS5TNNjFlklw=="], + + "@rollup/rollup-linux-s390x-gnu": ["@rollup/rollup-linux-s390x-gnu@4.41.1", "", { "os": "linux", "cpu": "s390x" }, "sha512-oIE6M8WC9ma6xYqjvPhzZYk6NbobIURvP/lEbh7FWplcMO6gn7MM2yHKA1eC/GvYwzNKK/1LYgqzdkZ8YFxR8g=="], + + "@rollup/rollup-linux-x64-gnu": ["@rollup/rollup-linux-x64-gnu@4.41.1", "", { "os": "linux", "cpu": "x64" }, "sha512-cWBOvayNvA+SyeQMp79BHPK8ws6sHSsYnK5zDcsC3Hsxr1dgTABKjMnMslPq1DvZIp6uO7kIWhiGwaTdR4Og9A=="], + + "@rollup/rollup-linux-x64-musl": ["@rollup/rollup-linux-x64-musl@4.41.1", "", { "os": "linux", "cpu": "x64" }, "sha512-y5CbN44M+pUCdGDlZFzGGBSKCA4A/J2ZH4edTYSSxFg7ce1Xt3GtydbVKWLlzL+INfFIZAEg1ZV6hh9+QQf9YQ=="], + + "@rollup/rollup-win32-arm64-msvc": ["@rollup/rollup-win32-arm64-msvc@4.41.1", "", { "os": "win32", "cpu": "arm64" }, "sha512-lZkCxIrjlJlMt1dLO/FbpZbzt6J/A8p4DnqzSa4PWqPEUUUnzXLeki/iyPLfV0BmHItlYgHUqJe+3KiyydmiNQ=="], + + "@rollup/rollup-win32-ia32-msvc": ["@rollup/rollup-win32-ia32-msvc@4.41.1", "", { "os": "win32", "cpu": "ia32" }, "sha512-+psFT9+pIh2iuGsxFYYa/LhS5MFKmuivRsx9iPJWNSGbh2XVEjk90fmpUEjCnILPEPJnikAU6SFDiEUyOv90Pg=="], + + "@rollup/rollup-win32-x64-msvc": ["@rollup/rollup-win32-x64-msvc@4.41.1", "", { "os": "win32", "cpu": "x64" }, "sha512-Wq2zpapRYLfi4aKxf2Xff0tN+7slj2d4R87WEzqw7ZLsVvO5zwYCIuEGSZYiK41+GlwUo1HiR+GdkLEJnCKTCw=="], + + "@types/estree": ["@types/estree@1.0.7", "", {}, "sha512-w28IoSUCJpidD/TGviZwwMJckNESJZXFu7NBZ5YJ4mEUnNraUn9Pm8HSZm/jDF1pDWYKspWE7oVphigUPRakIQ=="], + + "accepts": ["accepts@2.0.0", "", { "dependencies": { "mime-types": "^3.0.0", "negotiator": "^1.0.0" } }, "sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng=="], + + "ajv": ["ajv@8.17.1", "", { "dependencies": { "fast-deep-equal": "^3.1.3", "fast-uri": "^3.0.1", "json-schema-traverse": "^1.0.0", "require-from-string": "^2.0.2" } }, "sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g=="], + + "ansi-regex": ["ansi-regex@6.1.0", "", {}, "sha512-7HSX4QQb4CspciLpVFwyRe79O3xsIZDDLER21kERQ71oaPodF8jL725AgJMFAYbooIqolJoRLuM81SpeUkpkvA=="], + + "ansi-styles": ["ansi-styles@6.2.1", "", {}, "sha512-bN798gFfQX+viw3R7yrGWRqnrN2oRkEkUjjl4JNn4E8GxxbjtG3FbrEIIY3l8/hrwUwIeCZvi4QuOTP4MErVug=="], + + "any-promise": ["any-promise@1.3.0", "", {}, "sha512-7UvmKalWRt1wgjL1RrGxoSJW/0QZFIegpeGvZG9kjp8vrRu55XTHbwnqq2GpXm9uLbcuhxm3IqX9OB4MZR1b2A=="], + + "balanced-match": ["balanced-match@1.0.2", "", {}, "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw=="], + + "body-parser": ["body-parser@2.2.0", "", { "dependencies": { "bytes": "^3.1.2", "content-type": "^1.0.5", "debug": "^4.4.0", "http-errors": "^2.0.0", "iconv-lite": "^0.6.3", "on-finished": "^2.4.1", "qs": "^6.14.0", "raw-body": "^3.0.0", "type-is": "^2.0.0" } }, "sha512-02qvAaxv8tp7fBa/mw1ga98OGm+eCbqzJOKoRt70sLmfEEi+jyBYVTDGfCL/k06/4EMk/z01gCe7HoCH/f2LTg=="], + + "brace-expansion": ["brace-expansion@2.0.1", "", { "dependencies": { "balanced-match": "^1.0.0" } }, "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA=="], + + "bundle-require": ["bundle-require@5.1.0", "", { "dependencies": { "load-tsconfig": "^0.2.3" }, "peerDependencies": { "esbuild": ">=0.18" } }, "sha512-3WrrOuZiyaaZPWiEt4G3+IffISVC9HYlWueJEBWED4ZH4aIAC2PnkdnuRrR94M+w6yGWn4AglWtJtBI8YqvgoA=="], + + "bytes": ["bytes@3.1.2", "", {}, "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg=="], + + "cac": ["cac@6.7.14", "", {}, "sha512-b6Ilus+c3RrdDk+JhLKUAQfzzgLEPy6wcXqS7f/xe1EETvsDP6GORG7SFuOs6cID5YkqchW/LXZbX5bc8j7ZcQ=="], + + "call-bind-apply-helpers": ["call-bind-apply-helpers@1.0.2", "", { "dependencies": { "es-errors": "^1.3.0", "function-bind": "^1.1.2" } }, "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ=="], + + "call-bound": ["call-bound@1.0.4", "", { "dependencies": { "call-bind-apply-helpers": "^1.0.2", "get-intrinsic": "^1.3.0" } }, "sha512-+ys997U96po4Kx/ABpBCqhA9EuxJaQWDQg7295H4hBphv3IZg0boBKuwYpt4YXp6MZ5AmZQnU/tyMTlRpaSejg=="], + + "chalk": ["chalk@5.4.1", "", {}, "sha512-zgVZuo2WcZgfUEmsn6eO3kINexW8RAE4maiQ8QNs8CtpPCSyMiYsULR3HQYkm3w8FIA3SberyMJMSldGsW+U3w=="], + + "chokidar": ["chokidar@4.0.3", "", { "dependencies": { "readdirp": "^4.0.1" } }, "sha512-Qgzu8kfBvo+cA4962jnP1KkS6Dop5NS6g7R5LFYJr4b8Ub94PPQXUksCw9PvXoeXPRRddRNC5C1JQUR2SMGtnA=="], + + "color-convert": ["color-convert@2.0.1", "", { "dependencies": { "color-name": "~1.1.4" } }, "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ=="], + + "color-name": ["color-name@1.1.4", "", {}, "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA=="], + + "commander": ["commander@13.0.0", "", {}, "sha512-oPYleIY8wmTVzkvQq10AEok6YcTC4sRUBl8F9gVuwchGVUCTbl/vhLTaQqutuuySYOsu8YTgV+OxKc/8Yvx+mQ=="], + + "consola": ["consola@3.4.2", "", {}, "sha512-5IKcdX0nnYavi6G7TtOhwkYzyjfJlatbjMjuLSfE2kYT5pMDOilZ4OvMhi637CcDICTmz3wARPoyhqyX1Y+XvA=="], + + "content-disposition": ["content-disposition@1.0.0", "", { "dependencies": { "safe-buffer": "5.2.1" } }, "sha512-Au9nRL8VNUut/XSzbQA38+M78dzP4D+eqg3gfJHMIHHYa3bg067xj1KxMUWj+VULbiZMowKngFFbKczUrNJ1mg=="], + + "content-type": ["content-type@1.0.5", "", {}, "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA=="], + + "cookie": ["cookie@0.6.0", "", {}, "sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw=="], + + "cookie-signature": ["cookie-signature@1.2.2", "", {}, "sha512-D76uU73ulSXrD1UXF4KE2TMxVVwhsnCgfAyTg9k8P6KGZjlXKrOLe4dJQKI3Bxi5wjesZoFXJWElNWBjPZMbhg=="], + + "core-util-is": ["core-util-is@1.0.3", "", {}, "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ=="], + + "cross-spawn": ["cross-spawn@7.0.6", "", { "dependencies": { "path-key": "^3.1.0", "shebang-command": "^2.0.0", "which": "^2.0.1" } }, "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA=="], + + "debug": ["debug@4.3.6", "", { "dependencies": { "ms": "2.1.2" } }, "sha512-O/09Bd4Z1fBrU4VzkhFqVgpPzaGbw6Sm9FEkBT1A/YBXQFGuuSxa1dN2nxgxS34JmKXqYx8CZAwEVoJFImUXIg=="], + + "depd": ["depd@2.0.0", "", {}, "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw=="], + + "dunder-proto": ["dunder-proto@1.0.1", "", { "dependencies": { "call-bind-apply-helpers": "^1.0.1", "es-errors": "^1.3.0", "gopd": "^1.2.0" } }, "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A=="], + + "eastasianwidth": ["eastasianwidth@0.2.0", "", {}, "sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA=="], + + "ee-first": ["ee-first@1.1.1", "", {}, "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow=="], + + "emoji-regex": ["emoji-regex@9.2.2", "", {}, "sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg=="], + + "encodeurl": ["encodeurl@2.0.0", "", {}, "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg=="], + + "es-define-property": ["es-define-property@1.0.1", "", {}, "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g=="], + + "es-errors": ["es-errors@1.3.0", "", {}, "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw=="], + + "es-object-atoms": ["es-object-atoms@1.1.1", "", { "dependencies": { "es-errors": "^1.3.0" } }, "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA=="], + + "esbuild": ["esbuild@0.24.2", "", { "optionalDependencies": { "@esbuild/aix-ppc64": "0.24.2", "@esbuild/android-arm": "0.24.2", "@esbuild/android-arm64": "0.24.2", "@esbuild/android-x64": "0.24.2", "@esbuild/darwin-arm64": "0.24.2", "@esbuild/darwin-x64": "0.24.2", "@esbuild/freebsd-arm64": "0.24.2", "@esbuild/freebsd-x64": "0.24.2", "@esbuild/linux-arm": "0.24.2", "@esbuild/linux-arm64": "0.24.2", "@esbuild/linux-ia32": "0.24.2", "@esbuild/linux-loong64": "0.24.2", "@esbuild/linux-mips64el": "0.24.2", "@esbuild/linux-ppc64": "0.24.2", "@esbuild/linux-riscv64": "0.24.2", "@esbuild/linux-s390x": "0.24.2", "@esbuild/linux-x64": "0.24.2", "@esbuild/netbsd-arm64": "0.24.2", "@esbuild/netbsd-x64": "0.24.2", "@esbuild/openbsd-arm64": "0.24.2", "@esbuild/openbsd-x64": "0.24.2", "@esbuild/sunos-x64": "0.24.2", "@esbuild/win32-arm64": "0.24.2", "@esbuild/win32-ia32": "0.24.2", "@esbuild/win32-x64": "0.24.2" }, "bin": { "esbuild": "bin/esbuild" } }, "sha512-+9egpBW8I3CD5XPe0n6BfT5fxLzxrlDzqydF3aviG+9ni1lDC/OvMHcxqEFV0+LANZG5R1bFMWfUrjVsdwxJvA=="], + + "escape-html": ["escape-html@1.0.3", "", {}, "sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow=="], + + "etag": ["etag@1.8.1", "", {}, "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg=="], + + "express": ["express@5.0.0", "", { "dependencies": { "accepts": "^2.0.0", "body-parser": "^2.0.1", "content-disposition": "^1.0.0", "content-type": "~1.0.4", "cookie": "0.6.0", "cookie-signature": "^1.2.1", "debug": "4.3.6", "depd": "2.0.0", "encodeurl": "~2.0.0", "escape-html": "~1.0.3", "etag": "~1.8.1", "finalhandler": "^2.0.0", "fresh": "2.0.0", "http-errors": "2.0.0", "merge-descriptors": "^2.0.0", "methods": "~1.1.2", "mime-types": "^3.0.0", "on-finished": "2.4.1", "once": "1.4.0", "parseurl": "~1.3.3", "proxy-addr": "~2.0.7", "qs": "6.13.0", "range-parser": "~1.2.1", "router": "^2.0.0", "safe-buffer": "5.2.1", "send": "^1.1.0", "serve-static": "^2.1.0", "setprototypeof": "1.2.0", "statuses": "2.0.1", "type-is": "^2.0.0", "utils-merge": "1.0.1", "vary": "~1.1.2" } }, "sha512-V4UkHQc+B7ldh1YC84HCXHwf60M4BOMvp9rkvTUWCK5apqDC1Esnbid4wm6nFyVuDy8XMfETsJw5lsIGBWyo0A=="], + + "fast-deep-equal": ["fast-deep-equal@3.1.3", "", {}, "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q=="], + + "fast-uri": ["fast-uri@3.0.6", "", {}, "sha512-Atfo14OibSv5wAp4VWNsFYE1AchQRTv9cBGWET4pZWHzYshFSS9NQI6I57rdKn9croWVMbYFbLhJ+yJvmZIIHw=="], + + "fdir": ["fdir@6.4.4", "", { "peerDependencies": { "picomatch": "^3 || ^4" }, "optionalPeers": ["picomatch"] }, "sha512-1NZP+GK4GfuAv3PqKvxQRDMjdSRZjnkq7KfhlNrCNNlZ0ygQFpebfrnfnq/W7fpUnAv9aGWmY1zKx7FYL3gwhg=="], + + "finalhandler": ["finalhandler@2.1.0", "", { "dependencies": { "debug": "^4.4.0", "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "on-finished": "^2.4.1", "parseurl": "^1.3.3", "statuses": "^2.0.1" } }, "sha512-/t88Ty3d5JWQbWYgaOGCCYfXRwV1+be02WqYYlL6h0lEiUAMPM8o8qKGO01YIkOHzka2up08wvgYD0mDiI+q3Q=="], + + "foreground-child": ["foreground-child@3.3.1", "", { "dependencies": { "cross-spawn": "^7.0.6", "signal-exit": "^4.0.1" } }, "sha512-gIXjKqtFuWEgzFRJA9WCQeSJLZDjgJUOMCMzxtvFq/37KojM1BFGufqsCy0r4qSQmYLsZYMeyRqzIWOMup03sw=="], + + "forwarded": ["forwarded@0.2.0", "", {}, "sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow=="], + + "fresh": ["fresh@2.0.0", "", {}, "sha512-Rx/WycZ60HOaqLKAi6cHRKKI7zxWbJ31MhntmtwMoaTeF7XFH9hhBp8vITaMidfljRQ6eYWCKkaTK+ykVJHP2A=="], + + "fsevents": ["fsevents@2.3.3", "", { "os": "darwin" }, "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw=="], + + "function-bind": ["function-bind@1.1.2", "", {}, "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA=="], + + "get-intrinsic": ["get-intrinsic@1.3.0", "", { "dependencies": { "call-bind-apply-helpers": "^1.0.2", "es-define-property": "^1.0.1", "es-errors": "^1.3.0", "es-object-atoms": "^1.1.1", "function-bind": "^1.1.2", "get-proto": "^1.0.1", "gopd": "^1.2.0", "has-symbols": "^1.1.0", "hasown": "^2.0.2", "math-intrinsics": "^1.1.0" } }, "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ=="], + + "get-proto": ["get-proto@1.0.1", "", { "dependencies": { "dunder-proto": "^1.0.1", "es-object-atoms": "^1.0.0" } }, "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g=="], + + "glob": ["glob@11.0.1", "", { "dependencies": { "foreground-child": "^3.1.0", "jackspeak": "^4.0.1", "minimatch": "^10.0.0", "minipass": "^7.1.2", "package-json-from-dist": "^1.0.0", "path-scurry": "^2.0.0" }, "bin": { "glob": "dist/esm/bin.mjs" } }, "sha512-zrQDm8XPnYEKawJScsnM0QzobJxlT/kHOOlRTio8IH/GrmxRE5fjllkzdaHclIuNjUQTJYH2xHNIGfdpJkDJUw=="], + + "gopd": ["gopd@1.2.0", "", {}, "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg=="], + + "has-symbols": ["has-symbols@1.1.0", "", {}, "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ=="], + + "hasown": ["hasown@2.0.2", "", { "dependencies": { "function-bind": "^1.1.2" } }, "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ=="], + + "http-errors": ["http-errors@2.0.0", "", { "dependencies": { "depd": "2.0.0", "inherits": "2.0.4", "setprototypeof": "1.2.0", "statuses": "2.0.1", "toidentifier": "1.0.1" } }, "sha512-FtwrG/euBzaEjYeRqOgly7G0qviiXoJWnvEH2Z1plBdXgbyjv34pHTSb9zoeHMyDy33+DWy5Wt9Wo+TURtOYSQ=="], + + "iconv-lite": ["iconv-lite@0.6.3", "", { "dependencies": { "safer-buffer": ">= 2.1.2 < 3.0.0" } }, "sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw=="], + + "immediate": ["immediate@3.0.6", "", {}, "sha512-XXOFtyqDjNDAQxVfYxuF7g9Il/IbWmmlQg2MYKOH8ExIT1qg6xc4zyS3HaEEATgs1btfzxq15ciUiY7gjSXRGQ=="], + + "inherits": ["inherits@2.0.4", "", {}, "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ=="], + + "ipaddr.js": ["ipaddr.js@1.9.1", "", {}, "sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g=="], + + "is-fullwidth-code-point": ["is-fullwidth-code-point@3.0.0", "", {}, "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg=="], + + "is-promise": ["is-promise@4.0.0", "", {}, "sha512-hvpoI6korhJMnej285dSg6nu1+e6uxs7zG3BYAm5byqDsgJNWwxzM6z6iZiAgQR4TJ30JmBTOwqZUw3WlyH3AQ=="], + + "isarray": ["isarray@1.0.0", "", {}, "sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ=="], + + "isexe": ["isexe@2.0.0", "", {}, "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw=="], + + "jackspeak": ["jackspeak@4.1.1", "", { "dependencies": { "@isaacs/cliui": "^8.0.2" } }, "sha512-zptv57P3GpL+O0I7VdMJNBZCu+BPHVQUk55Ft8/QCJjTVxrnJHuVuX/0Bl2A6/+2oyR/ZMEuFKwmzqqZ/U5nPQ=="], + + "jiti": ["jiti@2.4.2", "", { "bin": { "jiti": "lib/jiti-cli.mjs" } }, "sha512-rg9zJN+G4n2nfJl5MW3BMygZX56zKPNVEYYqq7adpmMh4Jn2QNEwhvQlFy6jPVdcod7txZtKHWnyZiA3a0zP7A=="], + + "joycon": ["joycon@3.1.1", "", {}, "sha512-34wB/Y7MW7bzjKRjUKTa46I2Z7eV62Rkhva+KkopW7Qvv/OSWBqvkSY7vusOPrNuZcUG3tApvdVgNB8POj3SPw=="], + + "json-schema-traverse": ["json-schema-traverse@1.0.0", "", {}, "sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug=="], + + "jszip": ["jszip@3.10.1", "", { "dependencies": { "lie": "~3.3.0", "pako": "~1.0.2", "readable-stream": "~2.3.6", "setimmediate": "^1.0.5" } }, "sha512-xXDvecyTpGLrqFrvkrUSoxxfJI5AH7U8zxxtVclpsUtMCq4JQ290LY8AW5c7Ggnr/Y/oK+bQMbqK2qmtk3pN4g=="], + + "lie": ["lie@3.3.0", "", { "dependencies": { "immediate": "~3.0.5" } }, "sha512-UaiMJzeWRlEujzAuw5LokY1L5ecNQYZKfmyZ9L7wDHb/p5etKaxXhohBcrw0EYby+G/NA52vRSN4N39dxHAIwQ=="], + + "lilconfig": ["lilconfig@3.1.3", "", {}, "sha512-/vlFKAoH5Cgt3Ie+JLhRbwOsCQePABiU3tJ1egGvyQ+33R/vcwM2Zl2QR/LzjsBeItPt3oSVXapn+m4nQDvpzw=="], + + "lines-and-columns": ["lines-and-columns@1.2.4", "", {}, "sha512-7ylylesZQ/PV29jhEDl3Ufjo6ZX7gCqJr5F7PKrqc93v7fzSymt1BpwEU8nAUXs8qzzvqhbjhK5QZg6Mt/HkBg=="], + + "load-tsconfig": ["load-tsconfig@0.2.5", "", {}, "sha512-IXO6OCs9yg8tMKzfPZ1YmheJbZCiEsnBdcB03l0OcfK9prKnJb96siuHCr5Fl37/yo9DnKU+TLpxzTUspw9shg=="], + + "lodash.sortby": ["lodash.sortby@4.7.0", "", {}, "sha512-HDWXG8isMntAyRF5vZ7xKuEvOhT4AhlRt/3czTSjvGUxjYCBVRQY48ViDHyfYz9VIoBkW4TMGQNapx+l3RUwdA=="], + + "lru-cache": ["lru-cache@11.1.0", "", {}, "sha512-QIXZUBJUx+2zHUdQujWejBkcD9+cs94tLn0+YL8UrCh+D5sCXZ4c7LaEH48pNwRY3MLDgqUFyhlCyjJPf1WP0A=="], + + "math-intrinsics": ["math-intrinsics@1.1.0", "", {}, "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g=="], + + "media-typer": ["media-typer@1.1.0", "", {}, "sha512-aisnrDP4GNe06UcKFnV5bfMNPBUw4jsLGaWwWfnH3v02GnBuXX2MCVn5RbrWo0j3pczUilYblq7fQ7Nw2t5XKw=="], + + "merge-descriptors": ["merge-descriptors@2.0.0", "", {}, "sha512-Snk314V5ayFLhp3fkUREub6WtjBfPdCPY1Ln8/8munuLuiYhsABgBVWsozAG+MWMbVEvcdcpbi9R7ww22l9Q3g=="], + + "methods": ["methods@1.1.2", "", {}, "sha512-iclAHeNqNm68zFtnZ0e+1L2yUIdvzNoauKU4WBA3VvH/vPFieF7qfRlwUZU+DA9P9bPXIS90ulxoUoCH23sV2w=="], + + "mime-db": ["mime-db@1.54.0", "", {}, "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ=="], + + "mime-types": ["mime-types@3.0.1", "", { "dependencies": { "mime-db": "^1.54.0" } }, "sha512-xRc4oEhT6eaBpU1XF7AjpOFD+xQmXNB5OVKwp4tqCuBpHLS/ZbBDrc07mYTDqVMg6PfxUjjNp85O6Cd2Z/5HWA=="], + + "minimatch": ["minimatch@10.0.1", "", { "dependencies": { "brace-expansion": "^2.0.1" } }, "sha512-ethXTt3SGGR+95gudmqJ1eNhRO7eGEGIgYA9vnPatK4/etz2MEVDno5GMCibdMTuBMyElzIlgxMna3K94XDIDQ=="], + + "minipass": ["minipass@7.1.2", "", {}, "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw=="], + + "ms": ["ms@2.1.2", "", {}, "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="], + + "mz": ["mz@2.7.0", "", { "dependencies": { "any-promise": "^1.0.0", "object-assign": "^4.0.1", "thenify-all": "^1.0.0" } }, "sha512-z81GNO7nnYMEhrGh9LeymoE4+Yr0Wn5McHIZMK5cfQCl+NDX08sCZgUc9/6MHni9IWuFLm1Z3HTCXu2z9fN62Q=="], + + "nanoid": ["nanoid@3.3.11", "", { "bin": { "nanoid": "bin/nanoid.cjs" } }, "sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w=="], + + "negotiator": ["negotiator@1.0.0", "", {}, "sha512-8Ofs/AUQh8MaEcrlq5xOX0CQ9ypTF5dl78mjlMNfOK08fzpgTHQRQPBxcPlEtIw0yRpws+Zo/3r+5WRby7u3Gg=="], + + "object-assign": ["object-assign@4.1.1", "", {}, "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg=="], + + "object-inspect": ["object-inspect@1.13.4", "", {}, "sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew=="], + + "on-finished": ["on-finished@2.4.1", "", { "dependencies": { "ee-first": "1.1.1" } }, "sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg=="], + + "once": ["once@1.4.0", "", { "dependencies": { "wrappy": "1" } }, "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w=="], + + "package-json-from-dist": ["package-json-from-dist@1.0.1", "", {}, "sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw=="], + + "pako": ["pako@1.0.11", "", {}, "sha512-4hLB8Py4zZce5s4yd9XzopqwVv/yGNhV1Bl8NTmCq1763HeK2+EwVTv+leGeL13Dnh2wfbqowVPXCIO0z4taYw=="], + + "parseurl": ["parseurl@1.3.3", "", {}, "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ=="], + + "path-key": ["path-key@3.1.1", "", {}, "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q=="], + + "path-scurry": ["path-scurry@2.0.0", "", { "dependencies": { "lru-cache": "^11.0.0", "minipass": "^7.1.2" } }, "sha512-ypGJsmGtdXUOeM5u93TyeIEfEhM6s+ljAhrk5vAvSx8uyY/02OvrZnA0YNGUrPXfpJMgI1ODd3nwz8Npx4O4cg=="], + + "path-to-regexp": ["path-to-regexp@8.2.0", "", {}, "sha512-TdrF7fW9Rphjq4RjrW0Kp2AW0Ahwu9sRGTkS6bvDi0SCwZlEZYmcfDbEsTz8RVk0EHIS/Vd1bv3JhG+1xZuAyQ=="], + + "picocolors": ["picocolors@1.1.1", "", {}, "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA=="], + + "picomatch": ["picomatch@4.0.2", "", {}, "sha512-M7BAV6Rlcy5u+m6oPhAPFgJTzAioX/6B0DxyvDlo9l8+T3nLKbrczg2WLUyzd45L8RqfUMyGPzekbMvX2Ldkwg=="], + + "pirates": ["pirates@4.0.7", "", {}, "sha512-TfySrs/5nm8fQJDcBDuUng3VOUKsd7S+zqvbOTiGXHfxX4wK31ard+hoNuvkicM/2YFzlpDgABOevKSsB4G/FA=="], + + "postcss": ["postcss@8.5.3", "", { "dependencies": { "nanoid": "^3.3.8", "picocolors": "^1.1.1", "source-map-js": "^1.2.1" } }, "sha512-dle9A3yYxlBSrt8Fu+IpjGT8SY8hN0mlaA6GY8t0P5PjIOZemULz/E2Bnm/2dcUOena75OTNkHI76uZBNUUq3A=="], + + "postcss-load-config": ["postcss-load-config@6.0.1", "", { "dependencies": { "lilconfig": "^3.1.1" }, "peerDependencies": { "jiti": ">=1.21.0", "postcss": ">=8.0.9", "tsx": "^4.8.1", "yaml": "^2.4.2" }, "optionalPeers": ["jiti", "postcss", "tsx", "yaml"] }, "sha512-oPtTM4oerL+UXmx+93ytZVN82RrlY/wPUV8IeDxFrzIjXOLF1pN+EmKPLbubvKHT2HC20xXsCAH2Z+CKV6Oz/g=="], + + "process-nextick-args": ["process-nextick-args@2.0.1", "", {}, "sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag=="], + + "proxy-addr": ["proxy-addr@2.0.7", "", { "dependencies": { "forwarded": "0.2.0", "ipaddr.js": "1.9.1" } }, "sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg=="], + + "punycode": ["punycode@2.3.1", "", {}, "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg=="], + + "qs": ["qs@6.13.0", "", { "dependencies": { "side-channel": "^1.0.6" } }, "sha512-+38qI9SOr8tfZ4QmJNplMUxqjbe7LKvvZgWdExBOmd+egZTtjLB67Gu0HRX3u/XOq7UU2Nx6nsjvS16Z9uwfpg=="], + + "range-parser": ["range-parser@1.2.1", "", {}, "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg=="], + + "raw-body": ["raw-body@3.0.0", "", { "dependencies": { "bytes": "3.1.2", "http-errors": "2.0.0", "iconv-lite": "0.6.3", "unpipe": "1.0.0" } }, "sha512-RmkhL8CAyCRPXCE28MMH0z2PNWQBNk2Q09ZdxM9IOOXwxwZbN+qbWaatPkdkWIKL2ZVDImrN/pK5HTRz2PcS4g=="], + + "readable-stream": ["readable-stream@2.3.8", "", { "dependencies": { "core-util-is": "~1.0.0", "inherits": "~2.0.3", "isarray": "~1.0.0", "process-nextick-args": "~2.0.0", "safe-buffer": "~5.1.1", "string_decoder": "~1.1.1", "util-deprecate": "~1.0.1" } }, "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA=="], + + "readdirp": ["readdirp@4.1.2", "", {}, "sha512-GDhwkLfywWL2s6vEjyhri+eXmfH6j1L7JE27WhqLeYzoh/A3DBaYGEj2H/HFZCn/kMfim73FXxEJTw06WtxQwg=="], + + "require-from-string": ["require-from-string@2.0.2", "", {}, "sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw=="], + + "resolve-from": ["resolve-from@5.0.0", "", {}, "sha512-qYg9KP24dD5qka9J47d0aVky0N+b4fTU89LN9iDnjB5waksiC49rvMB0PrUJQGoTmH50XPiqOvAjDfaijGxYZw=="], + + "rollup": ["rollup@4.41.1", "", { "dependencies": { "@types/estree": "1.0.7" }, "optionalDependencies": { "@rollup/rollup-android-arm-eabi": "4.41.1", "@rollup/rollup-android-arm64": "4.41.1", "@rollup/rollup-darwin-arm64": "4.41.1", "@rollup/rollup-darwin-x64": "4.41.1", "@rollup/rollup-freebsd-arm64": "4.41.1", "@rollup/rollup-freebsd-x64": "4.41.1", "@rollup/rollup-linux-arm-gnueabihf": "4.41.1", "@rollup/rollup-linux-arm-musleabihf": "4.41.1", "@rollup/rollup-linux-arm64-gnu": "4.41.1", "@rollup/rollup-linux-arm64-musl": "4.41.1", "@rollup/rollup-linux-loongarch64-gnu": "4.41.1", "@rollup/rollup-linux-powerpc64le-gnu": "4.41.1", "@rollup/rollup-linux-riscv64-gnu": "4.41.1", "@rollup/rollup-linux-riscv64-musl": "4.41.1", "@rollup/rollup-linux-s390x-gnu": "4.41.1", "@rollup/rollup-linux-x64-gnu": "4.41.1", "@rollup/rollup-linux-x64-musl": "4.41.1", "@rollup/rollup-win32-arm64-msvc": "4.41.1", "@rollup/rollup-win32-ia32-msvc": "4.41.1", "@rollup/rollup-win32-x64-msvc": "4.41.1", "fsevents": "~2.3.2" }, "bin": { "rollup": "dist/bin/rollup" } }, "sha512-cPmwD3FnFv8rKMBc1MxWCwVQFxwf1JEmSX3iQXrRVVG15zerAIXRjMFVWnd5Q5QvgKF7Aj+5ykXFhUl+QGnyOw=="], + + "router": ["router@2.2.0", "", { "dependencies": { "debug": "^4.4.0", "depd": "^2.0.0", "is-promise": "^4.0.0", "parseurl": "^1.3.3", "path-to-regexp": "^8.0.0" } }, "sha512-nLTrUKm2UyiL7rlhapu/Zl45FwNgkZGaCpZbIHajDYgwlJCOzLSk+cIPAnsEqV955GjILJnKbdQC1nVPz+gAYQ=="], + + "safe-buffer": ["safe-buffer@5.2.1", "", {}, "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ=="], + + "safer-buffer": ["safer-buffer@2.1.2", "", {}, "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="], + + "send": ["send@1.2.0", "", { "dependencies": { "debug": "^4.3.5", "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "etag": "^1.8.1", "fresh": "^2.0.0", "http-errors": "^2.0.0", "mime-types": "^3.0.1", "ms": "^2.1.3", "on-finished": "^2.4.1", "range-parser": "^1.2.1", "statuses": "^2.0.1" } }, "sha512-uaW0WwXKpL9blXE2o0bRhoL2EGXIrZxQ2ZQ4mgcfoBxdFmQold+qWsD2jLrfZ0trjKL6vOw0j//eAwcALFjKSw=="], + + "serve-static": ["serve-static@2.2.0", "", { "dependencies": { "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "parseurl": "^1.3.3", "send": "^1.2.0" } }, "sha512-61g9pCh0Vnh7IutZjtLGGpTA355+OPn2TyDv/6ivP2h/AdAVX9azsoxmg2/M6nZeQZNYBEwIcsne1mJd9oQItQ=="], + + "setimmediate": ["setimmediate@1.0.5", "", {}, "sha512-MATJdZp8sLqDl/68LfQmbP8zKPLQNV6BIZoIgrscFDQ+RsvK/BxeDQOgyxKKoh0y/8h3BqVFnCqQ/gd+reiIXA=="], + + "setprototypeof": ["setprototypeof@1.2.0", "", {}, "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw=="], + + "shebang-command": ["shebang-command@2.0.0", "", { "dependencies": { "shebang-regex": "^3.0.0" } }, "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA=="], + + "shebang-regex": ["shebang-regex@3.0.0", "", {}, "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A=="], + + "side-channel": ["side-channel@1.1.0", "", { "dependencies": { "es-errors": "^1.3.0", "object-inspect": "^1.13.3", "side-channel-list": "^1.0.0", "side-channel-map": "^1.0.1", "side-channel-weakmap": "^1.0.2" } }, "sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw=="], + + "side-channel-list": ["side-channel-list@1.0.0", "", { "dependencies": { "es-errors": "^1.3.0", "object-inspect": "^1.13.3" } }, "sha512-FCLHtRD/gnpCiCHEiJLOwdmFP+wzCmDEkc9y7NsYxeF4u7Btsn1ZuwgwJGxImImHicJArLP4R0yX4c2KCrMrTA=="], + + "side-channel-map": ["side-channel-map@1.0.1", "", { "dependencies": { "call-bound": "^1.0.2", "es-errors": "^1.3.0", "get-intrinsic": "^1.2.5", "object-inspect": "^1.13.3" } }, "sha512-VCjCNfgMsby3tTdo02nbjtM/ewra6jPHmpThenkTYh8pG9ucZ/1P8So4u4FGBek/BjpOVsDCMoLA/iuBKIFXRA=="], + + "side-channel-weakmap": ["side-channel-weakmap@1.0.2", "", { "dependencies": { "call-bound": "^1.0.2", "es-errors": "^1.3.0", "get-intrinsic": "^1.2.5", "object-inspect": "^1.13.3", "side-channel-map": "^1.0.1" } }, "sha512-WPS/HvHQTYnHisLo9McqBHOJk2FkHO/tlpvldyrnem4aeQp4hai3gythswg6p01oSoTl58rcpiFAjF2br2Ak2A=="], + + "signal-exit": ["signal-exit@4.1.0", "", {}, "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw=="], + + "source-map": ["source-map@0.8.0-beta.0", "", { "dependencies": { "whatwg-url": "^7.0.0" } }, "sha512-2ymg6oRBpebeZi9UUNsgQ89bhx01TcTkmNTGnNO88imTmbSgy4nfujrgVEFKWpMTEGA11EDkTt7mqObTPdigIA=="], + + "source-map-js": ["source-map-js@1.2.1", "", {}, "sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA=="], + + "statuses": ["statuses@2.0.1", "", {}, "sha512-RwNA9Z/7PrK06rYLIzFMlaF+l73iwpzsqRIFgbMLbTcLD6cOao82TaWefPXQvB2fOC4AjuYSEndS7N/mTCbkdQ=="], + + "string-width": ["string-width@5.1.2", "", { "dependencies": { "eastasianwidth": "^0.2.0", "emoji-regex": "^9.2.2", "strip-ansi": "^7.0.1" } }, "sha512-HnLOCR3vjcY8beoNLtcjZ5/nxn2afmME6lhrDrebokqMap+XbeW8n9TXpPDOqdGK5qcI3oT0GKTW6wC7EMiVqA=="], + + "string-width-cjs": ["string-width@4.2.3", "", { "dependencies": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", "strip-ansi": "^6.0.1" } }, "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g=="], + + "string_decoder": ["string_decoder@1.1.1", "", { "dependencies": { "safe-buffer": "~5.1.0" } }, "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg=="], + + "strip-ansi": ["strip-ansi@7.1.0", "", { "dependencies": { "ansi-regex": "^6.0.1" } }, "sha512-iq6eVVI64nQQTRYq2KtEg2d2uU7LElhTJwsH4YzIHZshxlgZms/wIc4VoDQTlG/IvVIrBKG06CrZnp0qv7hkcQ=="], + + "strip-ansi-cjs": ["strip-ansi@6.0.1", "", { "dependencies": { "ansi-regex": "^5.0.1" } }, "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A=="], + + "sucrase": ["sucrase@3.35.0", "", { "dependencies": { "@jridgewell/gen-mapping": "^0.3.2", "commander": "^4.0.0", "glob": "^10.3.10", "lines-and-columns": "^1.1.6", "mz": "^2.7.0", "pirates": "^4.0.1", "ts-interface-checker": "^0.1.9" }, "bin": { "sucrase": "bin/sucrase", "sucrase-node": "bin/sucrase-node" } }, "sha512-8EbVDiu9iN/nESwxeSxDKe0dunta1GOlHufmSSXxMD2z2/tMZpDMpvXQGsc+ajGo8y2uYUmixaSRUc/QPoQ0GA=="], + + "thenify": ["thenify@3.3.1", "", { "dependencies": { "any-promise": "^1.0.0" } }, "sha512-RVZSIV5IG10Hk3enotrhvz0T9em6cyHBLkH/YAZuKqd8hRkKhSfCGIcP2KUY0EPxndzANBmNllzWPwak+bheSw=="], + + "thenify-all": ["thenify-all@1.6.0", "", { "dependencies": { "thenify": ">= 3.1.0 < 4" } }, "sha512-RNxQH/qI8/t3thXJDwcstUO4zeqo64+Uy/+sNVRBx4Xn2OX+OZ9oP+iJnNFqplFra2ZUVeKCSa2oVWi3T4uVmA=="], + + "tinyexec": ["tinyexec@0.3.2", "", {}, "sha512-KQQR9yN7R5+OSwaK0XQoj22pwHoTlgYqmUscPYoknOoWCWfj/5/ABTMRi69FrKU5ffPVh5QcFikpWJI/P1ocHA=="], + + "tinyglobby": ["tinyglobby@0.2.13", "", { "dependencies": { "fdir": "^6.4.4", "picomatch": "^4.0.2" } }, "sha512-mEwzpUgrLySlveBwEVDMKk5B57bhLPYovRfPAXD5gA/98Opn0rCDj3GtLwFvCvH5RK9uPCExUROW5NjDwvqkxw=="], + + "toidentifier": ["toidentifier@1.0.1", "", {}, "sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA=="], + + "tr46": ["tr46@1.0.1", "", { "dependencies": { "punycode": "^2.1.0" } }, "sha512-dTpowEjclQ7Kgx5SdBkqRzVhERQXov8/l9Ft9dVM9fmg0W0KQSVaXX9T4i6twCPNtYiZM53lpSSUAwJbFPOHxA=="], + + "tree-kill": ["tree-kill@1.2.2", "", { "bin": { "tree-kill": "cli.js" } }, "sha512-L0Orpi8qGpRG//Nd+H90vFB+3iHnue1zSSGmNOOCh1GLJ7rUKVwV2HvijphGQS2UmhUZewS9VgvxYIdgr+fG1A=="], + + "ts-interface-checker": ["ts-interface-checker@0.1.13", "", {}, "sha512-Y/arvbn+rrz3JCKl9C4kVNfTfSm2/mEp5FSz5EsZSANGPSlQrpRI5M4PKF+mJnE52jOO90PnPSc3Ur3bTQw0gA=="], + + "tsup": ["tsup@8.3.5", "", { "dependencies": { "bundle-require": "^5.0.0", "cac": "^6.7.14", "chokidar": "^4.0.1", "consola": "^3.2.3", "debug": "^4.3.7", "esbuild": "^0.24.0", "joycon": "^3.1.1", "picocolors": "^1.1.1", "postcss-load-config": "^6.0.1", "resolve-from": "^5.0.0", "rollup": "^4.24.0", "source-map": "0.8.0-beta.0", "sucrase": "^3.35.0", "tinyexec": "^0.3.1", "tinyglobby": "^0.2.9", "tree-kill": "^1.2.2" }, "peerDependencies": { "@microsoft/api-extractor": "^7.36.0", "@swc/core": "^1", "postcss": "^8.4.12", "typescript": ">=4.5.0" }, "optionalPeers": ["@microsoft/api-extractor", "@swc/core", "postcss", "typescript"], "bin": { "tsup": "dist/cli-default.js", "tsup-node": "dist/cli-node.js" } }, "sha512-Tunf6r6m6tnZsG9GYWndg0z8dEV7fD733VBFzFJ5Vcm1FtlXB8xBD/rtrBi2a3YKEV7hHtxiZtW5EAVADoe1pA=="], + + "type-is": ["type-is@2.0.1", "", { "dependencies": { "content-type": "^1.0.5", "media-typer": "^1.1.0", "mime-types": "^3.0.0" } }, "sha512-OZs6gsjF4vMp32qrCbiVSkrFmXtG/AZhY3t0iAMrMBiAZyV9oALtXO8hsrHbMXF9x6L3grlFuwW2oAz7cav+Gw=="], + + "typescript": ["typescript@5.5.4", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-Mtq29sKDAEYP7aljRgtPOpTvOfbwRWlS6dPRzwjdE+C0R4brX/GUyhHSecbHMFLNBLcJIPt9nl9yG5TZ1weH+Q=="], + + "unpipe": ["unpipe@1.0.0", "", {}, "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ=="], + + "util-deprecate": ["util-deprecate@1.0.2", "", {}, "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw=="], + + "utils-merge": ["utils-merge@1.0.1", "", {}, "sha512-pMZTvIkT1d+TFGvDOqodOclx0QWkkgi6Tdoa8gC8ffGAAqz9pzPTZWAybbsHHoED/ztMtkv/VoYTYyShUn81hA=="], + + "vary": ["vary@1.1.2", "", {}, "sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg=="], + + "vite": ["vite@6.0.7", "", { "dependencies": { "esbuild": "^0.24.2", "postcss": "^8.4.49", "rollup": "^4.23.0" }, "optionalDependencies": { "fsevents": "~2.3.3" }, "peerDependencies": { "@types/node": "^18.0.0 || ^20.0.0 || >=22.0.0", "jiti": ">=1.21.0", "less": "*", "lightningcss": "^1.21.0", "sass": "*", "sass-embedded": "*", "stylus": "*", "sugarss": "*", "terser": "^5.16.0", "tsx": "^4.8.1", "yaml": "^2.4.2" }, "optionalPeers": ["@types/node", "jiti", "less", "lightningcss", "sass", "sass-embedded", "stylus", "sugarss", "terser", "tsx", "yaml"], "bin": { "vite": "bin/vite.js" } }, "sha512-RDt8r/7qx9940f8FcOIAH9PTViRrghKaK2K1jY3RaAURrEUbm9Du1mJ72G+jlhtG3WwodnfzY8ORQZbBavZEAQ=="], + + "webidl-conversions": ["webidl-conversions@4.0.2", "", {}, "sha512-YQ+BmxuTgd6UXZW3+ICGfyqRyHXVlD5GtQr5+qjiNW7bF0cqrzX500HVXPBOvgXb5YnzDd+h0zqyv61KUD7+Sg=="], + + "whatwg-url": ["whatwg-url@7.1.0", "", { "dependencies": { "lodash.sortby": "^4.7.0", "tr46": "^1.0.1", "webidl-conversions": "^4.0.2" } }, "sha512-WUu7Rg1DroM7oQvGWfOiAK21n74Gg+T4elXEQYkOhtyLeWiJFoOGLXPKI/9gzIie9CtwVLm8wtw6YJdKyxSjeg=="], + + "which": ["which@2.0.2", "", { "dependencies": { "isexe": "^2.0.0" }, "bin": { "node-which": "./bin/node-which" } }, "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA=="], + + "wrap-ansi": ["wrap-ansi@8.1.0", "", { "dependencies": { "ansi-styles": "^6.1.0", "string-width": "^5.0.1", "strip-ansi": "^7.0.1" } }, "sha512-si7QWI6zUMq56bESFvagtmzMdGOtoxfR+Sez11Mobfc7tm+VkUckk9bW2UeffTGVUbOksxmSw0AA2gs8g71NCQ=="], + + "wrap-ansi-cjs": ["wrap-ansi@7.0.0", "", { "dependencies": { "ansi-styles": "^4.0.0", "string-width": "^4.1.0", "strip-ansi": "^6.0.0" } }, "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q=="], + + "wrappy": ["wrappy@1.0.2", "", {}, "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ=="], + + "ws": ["ws@8.18.0", "", { "peerDependencies": { "bufferutil": "^4.0.1", "utf-8-validate": ">=5.0.2" }, "optionalPeers": ["bufferutil", "utf-8-validate"] }, "sha512-8VbfWfHLbbwu3+N6OKsOMpBdT4kXPDDB9cJk2bJ6mh9ucxdlnNvH1e+roYkKmN9Nxw2yjz7VzeO9oOz2zJ04Pw=="], + + "zod": ["zod@3.24.1", "", {}, "sha512-muH7gBL9sI1nciMZV67X5fTKKBLtwpZ5VBp1vsOQzj1MhrBZ4wlVCm3gedKZWLp0Oyel8sIGfeiz54Su+OVT+A=="], + + "body-parser/debug": ["debug@4.4.1", "", { "dependencies": { "ms": "^2.1.3" } }, "sha512-KcKCqiftBJcZr++7ykoDIEwSa3XWowTfNPo92BYxjXiyYEVrUQh2aLyhxBCwww+heortUFxEJYcRzosstTEBYQ=="], + + "body-parser/qs": ["qs@6.14.0", "", { "dependencies": { "side-channel": "^1.1.0" } }, "sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w=="], + + "finalhandler/debug": ["debug@4.4.1", "", { "dependencies": { "ms": "^2.1.3" } }, "sha512-KcKCqiftBJcZr++7ykoDIEwSa3XWowTfNPo92BYxjXiyYEVrUQh2aLyhxBCwww+heortUFxEJYcRzosstTEBYQ=="], + + "readable-stream/safe-buffer": ["safe-buffer@5.1.2", "", {}, "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g=="], + + "router/debug": ["debug@4.4.1", "", { "dependencies": { "ms": "^2.1.3" } }, "sha512-KcKCqiftBJcZr++7ykoDIEwSa3XWowTfNPo92BYxjXiyYEVrUQh2aLyhxBCwww+heortUFxEJYcRzosstTEBYQ=="], + + "send/ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="], + + "string-width-cjs/emoji-regex": ["emoji-regex@8.0.0", "", {}, "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A=="], + + "string-width-cjs/strip-ansi": ["strip-ansi@6.0.1", "", { "dependencies": { "ansi-regex": "^5.0.1" } }, "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A=="], + + "string_decoder/safe-buffer": ["safe-buffer@5.1.2", "", {}, "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g=="], + + "strip-ansi-cjs/ansi-regex": ["ansi-regex@5.0.1", "", {}, "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ=="], + + "sucrase/commander": ["commander@4.1.1", "", {}, "sha512-NOKm8xhkzAjzFx8B2v5OAHT+u5pRQc2UCa2Vq9jYL/31o2wi9mxBA7LIFs3sV5VSC49z6pEhfbMULvShKj26WA=="], + + "sucrase/glob": ["glob@10.4.5", "", { "dependencies": { "foreground-child": "^3.1.0", "jackspeak": "^3.1.2", "minimatch": "^9.0.4", "minipass": "^7.1.2", "package-json-from-dist": "^1.0.0", "path-scurry": "^1.11.1" }, "bin": { "glob": "dist/esm/bin.mjs" } }, "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg=="], + + "tsup/debug": ["debug@4.4.1", "", { "dependencies": { "ms": "^2.1.3" } }, "sha512-KcKCqiftBJcZr++7ykoDIEwSa3XWowTfNPo92BYxjXiyYEVrUQh2aLyhxBCwww+heortUFxEJYcRzosstTEBYQ=="], + + "wrap-ansi-cjs/ansi-styles": ["ansi-styles@4.3.0", "", { "dependencies": { "color-convert": "^2.0.1" } }, "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg=="], + + "wrap-ansi-cjs/string-width": ["string-width@4.2.3", "", { "dependencies": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", "strip-ansi": "^6.0.1" } }, "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g=="], + + "wrap-ansi-cjs/strip-ansi": ["strip-ansi@6.0.1", "", { "dependencies": { "ansi-regex": "^5.0.1" } }, "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A=="], + + "body-parser/debug/ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="], + + "finalhandler/debug/ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="], + + "router/debug/ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="], + + "string-width-cjs/strip-ansi/ansi-regex": ["ansi-regex@5.0.1", "", {}, "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ=="], + + "sucrase/glob/jackspeak": ["jackspeak@3.4.3", "", { "dependencies": { "@isaacs/cliui": "^8.0.2" }, "optionalDependencies": { "@pkgjs/parseargs": "^0.11.0" } }, "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw=="], + + "sucrase/glob/minimatch": ["minimatch@9.0.5", "", { "dependencies": { "brace-expansion": "^2.0.1" } }, "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow=="], + + "sucrase/glob/path-scurry": ["path-scurry@1.11.1", "", { "dependencies": { "lru-cache": "^10.2.0", "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0" } }, "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA=="], + + "tsup/debug/ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="], + + "wrap-ansi-cjs/string-width/emoji-regex": ["emoji-regex@8.0.0", "", {}, "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A=="], + + "wrap-ansi-cjs/strip-ansi/ansi-regex": ["ansi-regex@5.0.1", "", {}, "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ=="], + + "sucrase/glob/path-scurry/lru-cache": ["lru-cache@10.4.3", "", {}, "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ=="], + } +} diff --git a/dist/plugin_package.zip b/dist/plugin_package.zip index 31ab81ad9d2c3ea5abed9c5c5d2b92488e7cd63a..34b70e1f07a90b3eacf3581195e7e40a421828dc 100644 GIT binary patch literal 7047 zcmWIWW@h1H009TvolzhfhB+7*7?Ki`vs3d@^dYK1BIv3FkW^*nrKDEqWfkk|D-Jrfa}tY-6{@)u6f%oZR0X9LY80gwYJ%ky6q57vic1sJrXQVaFcQ%eFt zTn$ZYE(HYzh0HVs4Y0gkW?phmX-aCbhEj4)W@=tZd}fNRlBR;18bm*md{Js~L4ICw zYJ5p$L8@&@es*e}k|xYb1%;y2lG36)g_5GuREQn5V4I-AX^A<-U~!OWW^r(8UP=ha zgphn^u(g=ZFGwuOK)602u_OcLc=EiLn4FwiTpSN}Hx3^bmn4>?g5+vy6hPJ^d0q`& zdrggkK8l#Cex_bYYH;MV|`sD_Yb3rK`OFqY!3t-wnsUOUyeX2)^P)JOJN-$`eQ_3uc zDL_e*XsH|{aIqN#O6152Q4ECIhfnmgyJA%sEf0l2}}sm#hFPeKd+wvUNaJ2E^$K(7Gfy zwIm}y1(A7t!F=KiZUJy0&p&q>wG$xqivh{kkLtOCSTD+QHmh<&vQ(CUgf?cf{@ z(haWJ;F>{60b-tlqOGlhlDlh&63llB3g|{FVRe~beu+Y&g1c)7C}==Iucr{4omo(j znU}7o1a&053WTQ-1qD!<1gUKm!HzTR1*r8cD7PtTDqvFxl8R5xNX*Ge z%}a;XUl_)rs)~n%h%IuFMO;vT(pqLwYKj6V1{DetixP8FOHzx96>>9+i$UQ*O2~lH zM2SLaQ4S($g%;(YrmM_i|AN#!PZtGSND+<{hQ-PG1*x|A1*v(NDUiTH59Q1hNR1DR zBy>MwPl%yGKA?0|T9gA%MZ{@@xfP@v#)caK@hl|ZeG^NPLCqV8dvifN4SnoUq!Asb z7OSPH4^3teQ{d4}gh94wCV(=8BC<0;i3-&~Qu7C@%N6pA6i`K=$qkl96f*OmaY=e& zfjB%Y5tL+7QbE>)26;N?=N9DWrRJ4rK%~K;5^Wf(U~jLWL|WW~Ohn`+sKY_=2{Ab= z5s@Z90SOmXumu$^1v!bCc_bGvSnX8EELH#;M^ae>NglcRDVb@RsVU$h5uS01QVVht zlT&deG;lgov)9)F1(_ZW#kM$9Mcb>zsz9_tTAL7uq`>O3lu&RcPf)3b_D8_^T(7tw zC$mID$x2^eNi*6Yw$@5tAFje9zqmw0v(^eO5RhL45m1-3K)+Rt)KwOrE z*S0AN&}@(5W_a!`DXN5auV9rTxH9%H%1qD91EN34TZbxE7Xz(-&sYfXkes)M5;iAQ=ENz_77_c4Pq|O#r&ckd433}$iZBVdP0O^MFQ*i4iE*XQ&w*^&Yu#5x>JCGp4#Yn+N zqM3-qi!c@LbR=Uzbr4c~fd+0+oq!O5Ye&@Xu%If*EXhe#uvLJySrqIQl%TCHx19WP zNLvrCKSiM=Um*Zg(}ChlNx@1%$sg1UGg2U|7?v_&HW#I)r52^;C8OI8>bw+N>FYxp zcY1lLCHln$smaAq0o}~>{4(8q&;Wvwu3@}^u7QzWMoDgta#32cUU6!2NoIbYp0S>x zo;lcgFw;^JOAG~=8$@(C@`bBBU=4Qrb(0(7Nmq}ctfm_1x z2vbN&ElEu-Nlj5ya4t$sECCg@X_dl0oWIH9#YLAQd1C zju{>BP#TD)fLIMt}71HvH6jZ7~4Ol%cE~JRVTE%g31;Jtgl-S@= zQk#HmF|?Mj0u`pH;-JoHYLS(Kk`mmVh*}QbEkcY8!umzE3dx{`uYyJ@B1MA2160z0 zdWxwq3Tlu?_2j>U)&oT*QzUs2~N634_u(VxSBmuK;N+fHEI8 zX_)qc?BrBS5-H0%i(Ljb8Zf({_q+Cdvkp!h5SRf45CC7{9|$M_z2_!K&Z0`BSJ2r?9P zkn#jn3Kpdnm*$i}oC?Y+ko<+|b+C3McS1~1fL3M2DcMGPxHBX;J6b6y1>_eOXC~#O zDg+1n!-r#Bpc!8Ykv&jzYjCi?Zc%DZVo7QWa?cr7V1VipST5t@f;V#^!y+1*wF+<{ zaO1gF0hHz;-bT) z`hZB3r4|)u=I4Rr4D<~23?QON;Ruom$SFY5nxR3xv5X81AROS$$RxsmdkzaSp9Pwy0Ug? jWcPql14Ji?)RII?8v)*|Y#<3{24;r!3=9m1q(D3X{e-ks delta 170 zcmZoSKO@E);LXg!#Q*|J_%=`ERc2now|S$n7u)1evDV4F;%7E { + const method = req.getMethod(); + const query = req.getQuery(); + + sdk.console.log(`[PKCEDowngradeCheck] Method: ${method}`); + sdk.console.log(`[PKCEDowngradeCheck] Query: ${query}`); + + if (method !== "GET") { + sdk.console.log("[PKCEDowngradeCheck] Not a GET request. Skipping."); + return false; + } + + if ( + !query.includes("client_id=") || + !query.includes("response_type=code") || + !query.includes("code_challenge=") || + !query.includes("code_challenge_method=") + ) { + sdk.console.log("[PKCEDowngradeCheck] Required PKCE parameters missing. Skipping."); + return false; + } + + const url = req.getUrl(); + const isOpenID = + query.includes("scope=openid") || query.includes("id_token"); + + sdk.console.log(`[PKCEDowngradeCheck] URL: ${url}`); + sdk.console.log(`[PKCEDowngradeCheck] isOpenID: ${isOpenID}`); + + const methodMatch = query.match(/code_challenge_method=([^&]*)/); + const challengeMatch = query.match(/code_challenge=([^&]*)/); + if (!methodMatch || !challengeMatch) { + sdk.console.log("[PKCEDowngradeCheck] code_challenge or code_challenge_method missing in query. Skipping."); + return false; + } + + const methodVal = decodeURIComponent(methodMatch[1] ?? ""); + sdk.console.log(`[PKCEDowngradeCheck] code_challenge_method: ${methodVal}`); + if (methodVal === "plain") { + sdk.console.log("[PKCEDowngradeCheck] code_challenge_method is plain. Skipping."); + return false; + } + + const modifiedQuery = query + .replace(/code_challenge_method=[^&]*&?/, "") + .replace(/code_challenge=[^&]*&?/, "") + .replace(/[?&]$/, ""); + + const downgradedUrl = `${req.getUrl().split("://")[0]}://${req.getHost()}:${req.getPort()}${req.getPath()}?${modifiedQuery}`; + sdk.console.log(`[PKCEDowngradeCheck] Downgraded URL: ${downgradedUrl}`); + + try { + const fetchOriginal = new FetchRequest(url, { method: "GET" }); + const fetchDowngraded = new FetchRequest(downgradedUrl, { method: "GET" }); + + sdk.console.log("[PKCEDowngradeCheck] Sending original request..."); + const resOriginal = await fetch(fetchOriginal); + sdk.console.log(`[PKCEDowngradeCheck] Original response status: ${resOriginal.status}`); + + sdk.console.log("[PKCEDowngradeCheck] Sending downgraded request..."); + const resDowngraded = await fetch(fetchDowngraded); + sdk.console.log(`[PKCEDowngradeCheck] Downgraded response status: ${resDowngraded.status}`); + + const statusEqual = resOriginal.status === resDowngraded.status; + sdk.console.log(`[PKCEDowngradeCheck] Status equal: ${statusEqual}`); + + const bodyOriginal = await resOriginal.text(); + const bodyDowngraded = await resDowngraded.text(); + + const codeInOriginal = bodyOriginal.includes("code="); + const codeInDowngrade = bodyDowngraded.includes("code="); + + sdk.console.log(`[PKCEDowngradeCheck] code= in original: ${codeInOriginal}`); + sdk.console.log(`[PKCEDowngradeCheck] code= in downgraded: ${codeInDowngrade}`); + + if (statusEqual && codeInOriginal && codeInDowngrade) { + const title = isOpenID + ? "OpenID Flow PKCE Downgraded to Plaintext" + : "OAuth2 Flow PKCE Downgraded to Plaintext"; + + const reference = isOpenID + ? "https://openid.net/specs/openid-igov-oauth2-1_0-02.html#rfc.section.3.1.7" + : "https://datatracker.ietf.org/doc/html/rfc7636"; + + sdk.console.log(`[PKCEDowngradeCheck] PKCE downgrade detected! Creating finding.`); + + await sdk.findings.create({ + title, + description: `PKCE downgrade detected for ${url}.\n\nDowngraded URL: ${downgradedUrl}\n\nReference: ${reference}`, + request: req, + reporter: "", + }); + + return true; + } + } catch (e) { + sdk.console.error(`PKCE downgrade check failed for ${url}: ${String(e)}`); + } + + sdk.console.log("[PKCEDowngradeCheck] No PKCE downgrade detected."); + return false; + } +} diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts index 8ba813f..8eafcc4 100644 --- a/packages/backend/src/index.ts +++ b/packages/backend/src/index.ts @@ -2,11 +2,13 @@ import type { SDK, DefineAPI } from "caido:plugin"; import type { Request } from "caido:utils"; import { ImplicitGrantController } from "./controller/implictGrant"; import { AuthZCodeGrantController } from "./controller/authZCodeGrant"; +import { PKCEDowngradeCheck } from "./controller/PKCEDowngradeCheck"; export type API = DefineAPI<{}>; const implicitGrantController = new ImplicitGrantController(); const authZCodeGrantController = new AuthZCodeGrantController(); +const pkceDowngradeCheck = new PKCEDowngradeCheck(); // function matchSSORequest(req: Request): boolean { // const raw = req.getRaw().toString(); @@ -33,6 +35,8 @@ export function init(sdk: SDK) { implicitGrantController.testReq(req); if (result) { + await pkceDowngradeCheck.test(sdk, req); + await sdk.findings.create({ title: "Possible SSO Request Detected", description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`, @@ -40,5 +44,6 @@ export function init(sdk: SDK) { reporter: "", }); } + }); } diff --git a/packages/backend/tsconfig.json b/packages/backend/tsconfig.json index 9dec401..022c0b2 100644 --- a/packages/backend/tsconfig.json +++ b/packages/backend/tsconfig.json @@ -1,7 +1,7 @@ { "extends": "../../tsconfig.json", "compilerOptions": { - "types": ["@caido/sdk-backend"] + "types": ["@caido/sdk-backend"], }, "include": ["./src/**/*.ts"] } From 2601997ed5ed86cbbd8790df2c036cefa6fb30c0 Mon Sep 17 00:00:00 2001 From: imnyang Date: Sun, 25 May 2025 20:37:18 +0900 Subject: [PATCH 02/20] =?UTF-8?q?GitHub=20Actions,=20PKCE=20Downgrade=20?= =?UTF-8?q?=EC=B6=94=EA=B0=80,=20PlayGround=20=EC=B6=94=EA=B0=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/main.yml | 43 +++++++++++++++++++++++++ .gitignore | 4 +-- dist/plugin_package.zip | Bin 7047 -> 0 bytes playground/.gitignore | 34 +++++++++++++++++++ playground/README.md | 15 +++++++++ playground/bun.lock | 25 ++++++++++++++ playground/package.json | 10 ++++++ playground/src/PKCEDowngradeExpress.js | 31 ++++++++++++++++++ playground/tsconfig.json | 29 +++++++++++++++++ 9 files changed, 189 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/main.yml delete mode 100644 dist/plugin_package.zip create mode 100644 playground/.gitignore create mode 100644 playground/README.md create mode 100644 playground/bun.lock create mode 100644 playground/package.json create mode 100644 playground/src/PKCEDowngradeExpress.js create mode 100644 playground/tsconfig.json diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000..30cddc7 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,43 @@ +name: Build and Upload Caido Plugin + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Setup Bun + uses: oven-sh/setup-bun@v1 + with: + bun-version: latest + + - name: Install dependencies + run: | + bun install + + - name: Build plugin + run: | + bun run build + + - name: Archive built plugin + run: | + mkdir -p dist-artifact + cp -r dist/* dist-artifact/ + # 만약 manifest.json도 포함되어야 한다면 + cp manifest.json dist-artifact/ + + - name: Upload plugin artifact + uses: actions/upload-artifact@v4 + with: + name: caido-plugin + path: dist-artifact diff --git a/.gitignore b/.gitignore index 029ef11..648628f 100644 --- a/.gitignore +++ b/.gitignore @@ -215,10 +215,10 @@ $RECYCLE.BIN/ # Windows shortcuts *.lnk -!dist/ +#!dist/ dist/* packages/frontend/dist packages/backend/dist -!dist/*.zip +#!dist/*.zip # End of https://www.toptal.com/developers/gitignore/api/node,macos,windows,linux \ No newline at end of file diff --git a/dist/plugin_package.zip b/dist/plugin_package.zip deleted file mode 100644 index 34b70e1f07a90b3eacf3581195e7e40a421828dc..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 7047 zcmWIWW@h1H009TvolzhfhB+7*7?Ki`vs3d@^dYK1BIv3FkW^*nrKDEqWfkk|D-Jrfa}tY-6{@)u6f%oZR0X9LY80gwYJ%ky6q57vic1sJrXQVaFcQ%eFt zTn$ZYE(HYzh0HVs4Y0gkW?phmX-aCbhEj4)W@=tZd}fNRlBR;18bm*md{Js~L4ICw zYJ5p$L8@&@es*e}k|xYb1%;y2lG36)g_5GuREQn5V4I-AX^A<-U~!OWW^r(8UP=ha zgphn^u(g=ZFGwuOK)602u_OcLc=EiLn4FwiTpSN}Hx3^bmn4>?g5+vy6hPJ^d0q`& zdrggkK8l#Cex_bYYH;MV|`sD_Yb3rK`OFqY!3t-wnsUOUyeX2)^P)JOJN-$`eQ_3uc zDL_e*XsH|{aIqN#O6152Q4ECIhfnmgyJA%sEf0l2}}sm#hFPeKd+wvUNaJ2E^$K(7Gfy zwIm}y1(A7t!F=KiZUJy0&p&q>wG$xqivh{kkLtOCSTD+QHmh<&vQ(CUgf?cf{@ z(haWJ;F>{60b-tlqOGlhlDlh&63llB3g|{FVRe~beu+Y&g1c)7C}==Iucr{4omo(j znU}7o1a&053WTQ-1qD!<1gUKm!HzTR1*r8cD7PtTDqvFxl8R5xNX*Ge z%}a;XUl_)rs)~n%h%IuFMO;vT(pqLwYKj6V1{DetixP8FOHzx96>>9+i$UQ*O2~lH zM2SLaQ4S($g%;(YrmM_i|AN#!PZtGSND+<{hQ-PG1*x|A1*v(NDUiTH59Q1hNR1DR zBy>MwPl%yGKA?0|T9gA%MZ{@@xfP@v#)caK@hl|ZeG^NPLCqV8dvifN4SnoUq!Asb z7OSPH4^3teQ{d4}gh94wCV(=8BC<0;i3-&~Qu7C@%N6pA6i`K=$qkl96f*OmaY=e& zfjB%Y5tL+7QbE>)26;N?=N9DWrRJ4rK%~K;5^Wf(U~jLWL|WW~Ohn`+sKY_=2{Ab= z5s@Z90SOmXumu$^1v!bCc_bGvSnX8EELH#;M^ae>NglcRDVb@RsVU$h5uS01QVVht zlT&deG;lgov)9)F1(_ZW#kM$9Mcb>zsz9_tTAL7uq`>O3lu&RcPf)3b_D8_^T(7tw zC$mID$x2^eNi*6Yw$@5tAFje9zqmw0v(^eO5RhL45m1-3K)+Rt)KwOrE z*S0AN&}@(5W_a!`DXN5auV9rTxH9%H%1qD91EN34TZbxE7Xz(-&sYfXkes)M5;iAQ=ENz_77_c4Pq|O#r&ckd433}$iZBVdP0O^MFQ*i4iE*XQ&w*^&Yu#5x>JCGp4#Yn+N zqM3-qi!c@LbR=Uzbr4c~fd+0+oq!O5Ye&@Xu%If*EXhe#uvLJySrqIQl%TCHx19WP zNLvrCKSiM=Um*Zg(}ChlNx@1%$sg1UGg2U|7?v_&HW#I)r52^;C8OI8>bw+N>FYxp zcY1lLCHln$smaAq0o}~>{4(8q&;Wvwu3@}^u7QzWMoDgta#32cUU6!2NoIbYp0S>x zo;lcgFw;^JOAG~=8$@(C@`bBBU=4Qrb(0(7Nmq}ctfm_1x z2vbN&ElEu-Nlj5ya4t$sECCg@X_dl0oWIH9#YLAQd1C zju{>BP#TD)fLIMt}71HvH6jZ7~4Ol%cE~JRVTE%g31;Jtgl-S@= zQk#HmF|?Mj0u`pH;-JoHYLS(Kk`mmVh*}QbEkcY8!umzE3dx{`uYyJ@B1MA2160z0 zdWxwq3Tlu?_2j>U)&oT*QzUs2~N634_u(VxSBmuK;N+fHEI8 zX_)qc?BrBS5-H0%i(Ljb8Zf({_q+Cdvkp!h5SRf45CC7{9|$M_z2_!K&Z0`BSJ2r?9P zkn#jn3Kpdnm*$i}oC?Y+ko<+|b+C3McS1~1fL3M2DcMGPxHBX;J6b6y1>_eOXC~#O zDg+1n!-r#Bpc!8Ykv&jzYjCi?Zc%DZVo7QWa?cr7V1VipST5t@f;V#^!y+1*wF+<{ zaO1gF0hHz;-bT) z`hZB3r4|)u=I4Rr4D<~23?QON;Ruom$SFY5nxR3xv5X81AROS$$RxsmdkzaSp9Pwy0Ug? jWcPql14Ji?)RII?8v)*|Y#<3{24;r!3=9m1q(D3X{e-ks diff --git a/playground/.gitignore b/playground/.gitignore new file mode 100644 index 0000000..a14702c --- /dev/null +++ b/playground/.gitignore @@ -0,0 +1,34 @@ +# dependencies (bun install) +node_modules + +# output +out +dist +*.tgz + +# code coverage +coverage +*.lcov + +# logs +logs +_.log +report.[0-9]_.[0-9]_.[0-9]_.[0-9]_.json + +# dotenv environment variable files +.env +.env.development.local +.env.test.local +.env.production.local +.env.local + +# caches +.eslintcache +.cache +*.tsbuildinfo + +# IntelliJ based IDEs +.idea + +# Finder (MacOS) folder config +.DS_Store diff --git a/playground/README.md b/playground/README.md new file mode 100644 index 0000000..4a3109f --- /dev/null +++ b/playground/README.md @@ -0,0 +1,15 @@ +# playground + +To install dependencies: + +```bash +bun install +``` + +To run: + +```bash +bun run +``` + +This project was created using `bun init` in bun v1.2.14. [Bun](https://bun.sh) is a fast all-in-one JavaScript runtime. diff --git a/playground/bun.lock b/playground/bun.lock new file mode 100644 index 0000000..0a70737 --- /dev/null +++ b/playground/bun.lock @@ -0,0 +1,25 @@ +{ + "lockfileVersion": 1, + "workspaces": { + "": { + "name": "playground", + "devDependencies": { + "@types/bun": "latest", + }, + "peerDependencies": { + "typescript": "^5", + }, + }, + }, + "packages": { + "@types/bun": ["@types/bun@1.2.14", "", { "dependencies": { "bun-types": "1.2.14" } }, "sha512-VsFZKs8oKHzI7zwvECiAJ5oSorWndIWEVhfbYqZd4HI/45kzW7PN2Rr5biAzvGvRuNmYLSANY+H59ubHq8xw7Q=="], + + "@types/node": ["@types/node@22.15.21", "", { "dependencies": { "undici-types": "~6.21.0" } }, "sha512-EV/37Td6c+MgKAbkcLG6vqZ2zEYHD7bvSrzqqs2RIhbA6w3x+Dqz8MZM3sP6kGTeLrdoOgKZe+Xja7tUB2DNkQ=="], + + "bun-types": ["bun-types@1.2.14", "", { "dependencies": { "@types/node": "*" } }, "sha512-Kuh4Ub28ucMRWeiUUWMHsT9Wcbr4H3kLIO72RZZElSDxSu7vpetRvxIUDUaW6QtaIeixIpm7OXtNnZPf82EzwA=="], + + "typescript": ["typescript@5.8.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ=="], + + "undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="], + } +} diff --git a/playground/package.json b/playground/package.json new file mode 100644 index 0000000..0bbbfb8 --- /dev/null +++ b/playground/package.json @@ -0,0 +1,10 @@ +{ + "name": "playground", + "private": true, + "devDependencies": { + "@types/bun": "latest" + }, + "peerDependencies": { + "typescript": "^5" + } +} diff --git a/playground/src/PKCEDowngradeExpress.js b/playground/src/PKCEDowngradeExpress.js new file mode 100644 index 0000000..61cf737 --- /dev/null +++ b/playground/src/PKCEDowngradeExpress.js @@ -0,0 +1,31 @@ +const express = require("express"); +const app = express(); + +app.get("/auth", (req, res) => { + const { + client_id, + response_type, + code_challenge, + code_challenge_method, + scope + } = req.query; + + console.log("Incoming request:", req.query); + + if (!client_id || response_type !== "code") { + return res.status(400).send("Missing required parameters"); + } + + // Simulate issuing an authorization code + const code = "dummy-auth-code"; + + // Simulate PKCE check (normally you'd validate here) + // We deliberately allow the downgrade here to simulate the vulnerability + const responseBody = `Authorization successful. code=${code}`; + return res.status(200).send(responseBody); +}); + +const PORT = 5050; +app.listen(PORT, () => { + console.log(`Test PKCE server running on http://localhost:${PORT}`); +}); diff --git a/playground/tsconfig.json b/playground/tsconfig.json new file mode 100644 index 0000000..bfa0fea --- /dev/null +++ b/playground/tsconfig.json @@ -0,0 +1,29 @@ +{ + "compilerOptions": { + // Environment setup & latest features + "lib": ["ESNext"], + "target": "ESNext", + "module": "Preserve", + "moduleDetection": "force", + "jsx": "react-jsx", + "allowJs": true, + + // Bundler mode + "moduleResolution": "bundler", + "allowImportingTsExtensions": true, + "verbatimModuleSyntax": true, + "noEmit": true, + + // Best practices + "strict": true, + "skipLibCheck": true, + "noFallthroughCasesInSwitch": true, + "noUncheckedIndexedAccess": true, + "noImplicitOverride": true, + + // Some stricter flags (disabled by default) + "noUnusedLocals": false, + "noUnusedParameters": false, + "noPropertyAccessFromIndexSignature": false + } +} From a5e48ed3742ff1fb6d205528f62e0804865f81c1 Mon Sep 17 00:00:00 2001 From: imnyang Date: Sun, 25 May 2025 20:38:36 +0900 Subject: [PATCH 03/20] =?UTF-8?q?[Add]=20=EB=AA=A8=EB=93=A0=20=EB=B8=8C?= =?UTF-8?q?=EB=9E=9C=EC=B9=98=EB=A1=9C=20=EC=A0=81=EC=9A=A9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/main.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 30cddc7..7b46d5d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,12 +1,8 @@ name: Build and Upload Caido Plugin on: - push: - branches: - - main - pull_request: - branches: - - main + push: + pull_request: jobs: build: From 2e1eb7a3abff2d98cfd8d982213363147eb59432 Mon Sep 17 00:00:00 2001 From: imnyang Date: Sun, 25 May 2025 20:55:19 +0900 Subject: [PATCH 04/20] =?UTF-8?q?PKCE=20Downgrade=EB=A7=8C=20=EC=B2=B4?= =?UTF-8?q?=ED=82=B9=ED=95=9C=EB=8B=A4=EA=B3=A0=EC=9A=94=3F=20=EC=95=84?= =?UTF-8?q?=EB=87=A8=20=EC=9D=B4=EC=A0=9C=20PKCE=EA=B0=80=20=EC=9E=88?= =?UTF-8?q?=EB=8A=94=EC=A7=80=EB=8F=84=20=ED=99=95=EC=9D=B8=ED=95=A0?= =?UTF-8?q?=EA=B2=81=EB=8B=88=EB=8B=A4.=20=EC=9D=B4=EA=B1=B0=EB=8F=84=20?= =?UTF-8?q?=EC=A2=80=20=EC=A4=84=EC=9D=B4=EA=B3=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/main.yml | 9 +- packages/backend/src/controller/PKCECheck.ts | 98 ++++++++++++++++ .../src/controller/PKCEDowngradeCheck.ts | 108 ------------------ packages/backend/src/index.ts | 6 +- 4 files changed, 102 insertions(+), 119 deletions(-) create mode 100644 packages/backend/src/controller/PKCECheck.ts delete mode 100644 packages/backend/src/controller/PKCEDowngradeCheck.ts diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 7b46d5d..9071b63 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -25,15 +25,8 @@ jobs: run: | bun run build - - name: Archive built plugin - run: | - mkdir -p dist-artifact - cp -r dist/* dist-artifact/ - # 만약 manifest.json도 포함되어야 한다면 - cp manifest.json dist-artifact/ - - name: Upload plugin artifact uses: actions/upload-artifact@v4 with: name: caido-plugin - path: dist-artifact + path: dist diff --git a/packages/backend/src/controller/PKCECheck.ts b/packages/backend/src/controller/PKCECheck.ts new file mode 100644 index 0000000..3e41154 --- /dev/null +++ b/packages/backend/src/controller/PKCECheck.ts @@ -0,0 +1,98 @@ +import type { SDK } from "caido:plugin"; +import type { Request } from "caido:utils"; +import { fetch, Request as FetchRequest } from "caido:http"; + +export class PKCECheck { + async test(sdk: SDK, req: Request): Promise { + const method = req.getMethod(); + if (method !== "GET") { + sdk.console.log("[PKCEDowngradeCheck] Not a GET request. Skipping."); + return false; + } + + const query = req.getQuery(); + const requiredParams = ["client_id=", "response_type=code", "code_challenge=", "code_challenge_method="]; + if (!requiredParams.every(param => query.includes(param))) { + sdk.console.log("[PKCEDowngradeCheck] Required PKCE parameters missing. Skipping."); + return false; + } + + const url = req.getUrl(); + const isOpenID = query.includes("scope=openid") || query.includes("id_token"); + const methodMatch = query.match(/code_challenge_method=([^&]*)/); + const challengeMatch = query.match(/code_challenge=([^&]*)/); + + if (!methodMatch || !challengeMatch) { + sdk.console.log("[PKCEDowngradeCheck] code_challenge or method missing. Skipping."); + await sdk.findings.create({ + title: isOpenID + ? "[WARN] OpenID Flow PKCE Parameters Missing" + : "[WARN] OAuth2 Flow PKCE Parameters Missing", + description: `PKCE parameters are missing or incomplete for ${url}. This may indicate a misconfiguration.`, + request: req, + reporter: "", + }); + return false; + } + + const methodVal = decodeURIComponent(methodMatch[1]!); + if (methodVal === "plain") { + sdk.console.log("[PKCEDowngradeCheck] code_challenge_method is 'plain'. Skipping."); + await sdk.findings.create({ + title: isOpenID + ? "[WARN] OpenID Flow PKCE Method is 'plain'" + : "[WARN] OAuth2 Flow PKCE Method is 'plain'", + description: `PKCE method is set to 'plain' for ${url}. This may indicate a downgrade vulnerability.`, + request: req, + reporter: "", + }); + + return false; + } + + const downgradedQuery = query + .replace(/code_challenge_method=[^&]*&?/, "") + .replace(/code_challenge=[^&]*&?/, "") + .replace(/[?&]$/, ""); + + const downgradedUrl = `${req.getUrl().split("://")[0]}://${req.getHost()}:${req.getPort()}${req.getPath()}?${downgradedQuery}`; + + try { + const [resOriginal, resDowngraded] = await Promise.all([ + fetch(new FetchRequest(url, { method: "GET" })), + fetch(new FetchRequest(downgradedUrl, { method: "GET" })) + ]); + + const [bodyOriginal, bodyDowngraded] = await Promise.all([ + resOriginal.text(), + resDowngraded.text() + ]); + + const statusEqual = resOriginal.status === resDowngraded.status; + const codeInBoth = bodyOriginal.includes("code=") && bodyDowngraded.includes("code="); + + if (statusEqual && codeInBoth) { + const title = isOpenID + ? "[CRITICAL] OpenID Flow PKCE Downgraded to Plaintext" + : "[CRITICAL] OAuth2 Flow PKCE Downgraded to Plaintext"; + const reference = isOpenID + ? "https://openid.net/specs/openid-igov-oauth2-1_0-02.html#rfc.section.3.1.7" + : "https://datatracker.ietf.org/doc/html/rfc7636"; + + await sdk.findings.create({ + title, + description: `PKCE downgrade detected for ${url}.\n\nDowngraded URL: ${downgradedUrl}\n\nReference: ${reference}`, + request: req, + reporter: "", + }); + + return true; + } + } catch (err) { + sdk.console.error(`PKCE downgrade check failed for ${url}: ${String(err)}`); + } + + sdk.console.log("[PKCEDowngradeCheck] No PKCE downgrade detected."); + return false; + } +} diff --git a/packages/backend/src/controller/PKCEDowngradeCheck.ts b/packages/backend/src/controller/PKCEDowngradeCheck.ts deleted file mode 100644 index 5d9e5e4..0000000 --- a/packages/backend/src/controller/PKCEDowngradeCheck.ts +++ /dev/null @@ -1,108 +0,0 @@ -import type { SDK } from "caido:plugin"; -import type { Request, Response } from "caido:utils"; -import { fetch, Request as FetchRequest } from "caido:http"; - -export class PKCEDowngradeCheck { - async test(sdk: SDK, req: Request): Promise { - const method = req.getMethod(); - const query = req.getQuery(); - - sdk.console.log(`[PKCEDowngradeCheck] Method: ${method}`); - sdk.console.log(`[PKCEDowngradeCheck] Query: ${query}`); - - if (method !== "GET") { - sdk.console.log("[PKCEDowngradeCheck] Not a GET request. Skipping."); - return false; - } - - if ( - !query.includes("client_id=") || - !query.includes("response_type=code") || - !query.includes("code_challenge=") || - !query.includes("code_challenge_method=") - ) { - sdk.console.log("[PKCEDowngradeCheck] Required PKCE parameters missing. Skipping."); - return false; - } - - const url = req.getUrl(); - const isOpenID = - query.includes("scope=openid") || query.includes("id_token"); - - sdk.console.log(`[PKCEDowngradeCheck] URL: ${url}`); - sdk.console.log(`[PKCEDowngradeCheck] isOpenID: ${isOpenID}`); - - const methodMatch = query.match(/code_challenge_method=([^&]*)/); - const challengeMatch = query.match(/code_challenge=([^&]*)/); - if (!methodMatch || !challengeMatch) { - sdk.console.log("[PKCEDowngradeCheck] code_challenge or code_challenge_method missing in query. Skipping."); - return false; - } - - const methodVal = decodeURIComponent(methodMatch[1] ?? ""); - sdk.console.log(`[PKCEDowngradeCheck] code_challenge_method: ${methodVal}`); - if (methodVal === "plain") { - sdk.console.log("[PKCEDowngradeCheck] code_challenge_method is plain. Skipping."); - return false; - } - - const modifiedQuery = query - .replace(/code_challenge_method=[^&]*&?/, "") - .replace(/code_challenge=[^&]*&?/, "") - .replace(/[?&]$/, ""); - - const downgradedUrl = `${req.getUrl().split("://")[0]}://${req.getHost()}:${req.getPort()}${req.getPath()}?${modifiedQuery}`; - sdk.console.log(`[PKCEDowngradeCheck] Downgraded URL: ${downgradedUrl}`); - - try { - const fetchOriginal = new FetchRequest(url, { method: "GET" }); - const fetchDowngraded = new FetchRequest(downgradedUrl, { method: "GET" }); - - sdk.console.log("[PKCEDowngradeCheck] Sending original request..."); - const resOriginal = await fetch(fetchOriginal); - sdk.console.log(`[PKCEDowngradeCheck] Original response status: ${resOriginal.status}`); - - sdk.console.log("[PKCEDowngradeCheck] Sending downgraded request..."); - const resDowngraded = await fetch(fetchDowngraded); - sdk.console.log(`[PKCEDowngradeCheck] Downgraded response status: ${resDowngraded.status}`); - - const statusEqual = resOriginal.status === resDowngraded.status; - sdk.console.log(`[PKCEDowngradeCheck] Status equal: ${statusEqual}`); - - const bodyOriginal = await resOriginal.text(); - const bodyDowngraded = await resDowngraded.text(); - - const codeInOriginal = bodyOriginal.includes("code="); - const codeInDowngrade = bodyDowngraded.includes("code="); - - sdk.console.log(`[PKCEDowngradeCheck] code= in original: ${codeInOriginal}`); - sdk.console.log(`[PKCEDowngradeCheck] code= in downgraded: ${codeInDowngrade}`); - - if (statusEqual && codeInOriginal && codeInDowngrade) { - const title = isOpenID - ? "OpenID Flow PKCE Downgraded to Plaintext" - : "OAuth2 Flow PKCE Downgraded to Plaintext"; - - const reference = isOpenID - ? "https://openid.net/specs/openid-igov-oauth2-1_0-02.html#rfc.section.3.1.7" - : "https://datatracker.ietf.org/doc/html/rfc7636"; - - sdk.console.log(`[PKCEDowngradeCheck] PKCE downgrade detected! Creating finding.`); - - await sdk.findings.create({ - title, - description: `PKCE downgrade detected for ${url}.\n\nDowngraded URL: ${downgradedUrl}\n\nReference: ${reference}`, - request: req, - reporter: "", - }); - - return true; - } - } catch (e) { - sdk.console.error(`PKCE downgrade check failed for ${url}: ${String(e)}`); - } - - sdk.console.log("[PKCEDowngradeCheck] No PKCE downgrade detected."); - return false; - } -} diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts index 8eafcc4..7633932 100644 --- a/packages/backend/src/index.ts +++ b/packages/backend/src/index.ts @@ -2,13 +2,13 @@ import type { SDK, DefineAPI } from "caido:plugin"; import type { Request } from "caido:utils"; import { ImplicitGrantController } from "./controller/implictGrant"; import { AuthZCodeGrantController } from "./controller/authZCodeGrant"; -import { PKCEDowngradeCheck } from "./controller/PKCEDowngradeCheck"; +import { PKCECheck } from "./controller/PKCECheck"; export type API = DefineAPI<{}>; const implicitGrantController = new ImplicitGrantController(); const authZCodeGrantController = new AuthZCodeGrantController(); -const pkceDowngradeCheck = new PKCEDowngradeCheck(); +const pkceCheck = new PKCECheck(); // function matchSSORequest(req: Request): boolean { // const raw = req.getRaw().toString(); @@ -35,7 +35,7 @@ export function init(sdk: SDK) { implicitGrantController.testReq(req); if (result) { - await pkceDowngradeCheck.test(sdk, req); + await pkceCheck.test(sdk, req); await sdk.findings.create({ title: "Possible SSO Request Detected", From ba20dd9007280235e871632ba86d9cd66eaae129 Mon Sep 17 00:00:00 2001 From: imnyang Date: Sun, 25 May 2025 22:28:56 +0900 Subject: [PATCH 05/20] =?UTF-8?q?=EC=A0=9C=EA=B0=80=20=EC=BD=94=EB=93=9C?= =?UTF-8?q?=20=ED=86=B5=EC=9D=BC=EC=84=B1=EC=9D=B4=20=EC=97=86=EC=97=88?= =?UTF-8?q?=EB=84=A4=EC=9A=94...?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- packages/backend/src/index.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts index 7633932..2eccd6d 100644 --- a/packages/backend/src/index.ts +++ b/packages/backend/src/index.ts @@ -8,7 +8,7 @@ export type API = DefineAPI<{}>; const implicitGrantController = new ImplicitGrantController(); const authZCodeGrantController = new AuthZCodeGrantController(); -const pkceCheck = new PKCECheck(); +const pkceCheckController = new PKCECheck(); // function matchSSORequest(req: Request): boolean { // const raw = req.getRaw().toString(); @@ -35,7 +35,7 @@ export function init(sdk: SDK) { implicitGrantController.testReq(req); if (result) { - await pkceCheck.test(sdk, req); + await pkceCheckController.test(sdk, req); await sdk.findings.create({ title: "Possible SSO Request Detected", From 0a24c5594d7b4b9f52c6470888fb4bc00cb11782 Mon Sep 17 00:00:00 2001 From: imnyang Date: Mon, 26 May 2025 00:56:03 +0900 Subject: [PATCH 06/20] =?UTF-8?q?[Add]=20PKCE=20=EC=B2=B4=ED=81=AC=20?= =?UTF-8?q?=EB=B0=8F=20=EA=B4=80=EB=A0=A8=20=EA=B8=B0=EB=8A=A5=20=EA=B5=AC?= =?UTF-8?q?=ED=98=84,=20Playground=20=EB=94=94=EB=A0=89=ED=86=A0=EB=A6=AC?= =?UTF-8?q?=20=EC=A0=95=EB=A6=AC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 20 ++++- packages/backend/src/controller/PKCECheck.ts | 29 +++--- playground/.gitignore | 34 ------- playground/PKCEDowngrade/.gitignore | 2 + playground/PKCEDowngrade/README.md | 11 +++ playground/{ => PKCEDowngrade}/bun.lock | 10 +-- playground/PKCEDowngrade/package.json | 12 +++ playground/PKCEDowngrade/src/index.ts | 94 ++++++++++++++++++++ playground/PKCEDowngrade/tsconfig.json | 7 ++ playground/README.md | 15 ---- playground/package.json | 10 --- playground/src/PKCEDowngradeExpress.js | 31 ------- playground/tsconfig.json | 29 ------ 13 files changed, 164 insertions(+), 140 deletions(-) delete mode 100644 playground/.gitignore create mode 100644 playground/PKCEDowngrade/.gitignore create mode 100644 playground/PKCEDowngrade/README.md rename playground/{ => PKCEDowngrade}/bun.lock (75%) create mode 100644 playground/PKCEDowngrade/package.json create mode 100644 playground/PKCEDowngrade/src/index.ts create mode 100644 playground/PKCEDowngrade/tsconfig.json delete mode 100644 playground/README.md delete mode 100644 playground/package.json delete mode 100644 playground/src/PKCEDowngradeExpress.js delete mode 100644 playground/tsconfig.json diff --git a/README.md b/README.md index 4cb6778..c5497cc 100644 --- a/README.md +++ b/README.md @@ -1 +1,19 @@ -# caido-plugin-test \ No newline at end of file +# caido-plugin-test + +## To-Do +- [ ] PKCE 다운그래이드 https에서 작동 안하는 이슈 고치기 + +```log +2025-05-25T15:52:40.757475Z INFO actix-rt|system:0|arbiter:6 proxy|connect: Client connection (29e74afd-9006-445e-88a9-3fc5d4796af9) +2025-05-25T15:52:40.757530Z INFO actix-rt|system:0|arbiter:6 proxy|connect: Client connected for http://localhost:8787 (29e74afd-9006-445e-88a9-3fc5d4796af9) +2025-05-25T15:52:40.757562Z INFO actix-rt|system:0|arbiter:6 proxy|http1|logger: GET http://localhost/login (29e74afd-9006-445e-88a9-3fc5d4796af9) +2025-05-25T15:52:40.767186Z INFO actix-rt|system:0|arbiter:6 proxy|http1|logger: GET http://localhost:8787/login -> 302 361 (29e74afd-9006-445e-88a9-3fc5d4796af9) +2025-05-25T15:52:40.768696Z INFO actix-rt|system:0|arbiter:9 proxy|http1|logger: GET https://github.com/login/oauth/authorize?client_id=Ov23lixietSCQOHxPvcr&redirect_uri=http%3A%2F%2Flocalhost%3A8787%2Fcallback&scope=read%3Auser&state=bc11db571a4737d0&response_type=code&code_challenge=FtSdQsWI342PKH6BGgKYR6AOzW95LaS0jeVcwTmHaro&code_challenge_method=S256 (90f314dc-9480-4bd8-b7b6-5acba6b8bc7b) +2025-05-25T15:52:41.103596Z INFO actix-rt|system:0|arbiter:9 proxy|http1|logger: GET https://github.com/login/oauth/authorize?client_id=Ov23lixietSCQOHxPvcr&redirect_uri=http%3A%2F%2Flocalhost%3A8787%2Fcallback&scope=read%3Auser&state=bc11db571a4737d0&response_type=code&code_challenge=FtSdQsWI342PKH6BGgKYR6AOzW95LaS0jeVcwTmHaro&code_challenge_method=S256 -> 302 4927 (90f314dc-9480-4bd8-b7b6-5acba6b8bc7b) +2025-05-25T15:52:41.105944Z INFO actix-rt|system:0|arbiter:7 proxy|connect: Client connection (34585a00-9f9f-4c72-b087-2e9e92418dad) +2025-05-25T15:52:41.105993Z INFO actix-rt|system:0|arbiter:7 proxy|connect: Client connected for http://localhost:8787 (34585a00-9f9f-4c72-b087-2e9e92418dad) +2025-05-25T15:52:41.106023Z INFO actix-rt|system:0|arbiter:7 proxy|http1|logger: GET http://localhost/callback?code=10c34dcc4d3f7302e707&state=bc11db571a4737d0 (34585a00-9f9f-4c72-b087-2e9e92418dad) +2025-05-25T15:52:41.108270Z INFO plugin:65ad3a87-0257-4408-a9c7-e0885e04c162 js|sdk: [PKCEDowngradeCheck] Required PKCE parameters missing. Skipping. +2025-05-25T15:52:41.277387Z INFO plugin:65ad3a87-0257-4408-a9c7-e0885e04c162 js|sdk: [PKCEDowngradeCheck] No PKCE downgrade detected. +2025-05-25T15:52:41.686109Z INFO actix-rt|system:0|arbiter:7 proxy|http1|logger: GET http://localhost:8787/callback?code=10c34dcc4d3f7302e707&state=bc11db571a4737d0 -> 200 1582 (34585a00-9f9f-4c72-b087-2e9e92418dad) +``` \ No newline at end of file diff --git a/packages/backend/src/controller/PKCECheck.ts b/packages/backend/src/controller/PKCECheck.ts index 3e41154..1d3525d 100644 --- a/packages/backend/src/controller/PKCECheck.ts +++ b/packages/backend/src/controller/PKCECheck.ts @@ -11,18 +11,20 @@ export class PKCECheck { } const query = req.getQuery(); - const requiredParams = ["client_id=", "response_type=code", "code_challenge=", "code_challenge_method="]; - if (!requiredParams.every(param => query.includes(param))) { + const searchParams = new URLSearchParams(query); + const requiredKeys = ["client_id", "response_type", "code_challenge", "code_challenge_method"]; + + if (!requiredKeys.every((key) => searchParams.has(key))) { sdk.console.log("[PKCEDowngradeCheck] Required PKCE parameters missing. Skipping."); return false; } const url = req.getUrl(); - const isOpenID = query.includes("scope=openid") || query.includes("id_token"); - const methodMatch = query.match(/code_challenge_method=([^&]*)/); - const challengeMatch = query.match(/code_challenge=([^&]*)/); + const isOpenID = searchParams.get("scope")?.includes("openid") || url.includes("id_token"); + const methodVal = searchParams.get("code_challenge_method"); + const challengeVal = searchParams.get("code_challenge"); - if (!methodMatch || !challengeMatch) { + if (!methodVal || !challengeVal) { sdk.console.log("[PKCEDowngradeCheck] code_challenge or method missing. Skipping."); await sdk.findings.create({ title: isOpenID @@ -35,7 +37,6 @@ export class PKCECheck { return false; } - const methodVal = decodeURIComponent(methodMatch[1]!); if (methodVal === "plain") { sdk.console.log("[PKCEDowngradeCheck] code_challenge_method is 'plain'. Skipping."); await sdk.findings.create({ @@ -46,26 +47,24 @@ export class PKCECheck { request: req, reporter: "", }); - return false; } - const downgradedQuery = query - .replace(/code_challenge_method=[^&]*&?/, "") - .replace(/code_challenge=[^&]*&?/, "") - .replace(/[?&]$/, ""); - + // Remove PKCE parameters to simulate a downgraded request + searchParams.delete("code_challenge"); + searchParams.delete("code_challenge_method"); + const downgradedQuery = searchParams.toString(); const downgradedUrl = `${req.getUrl().split("://")[0]}://${req.getHost()}:${req.getPort()}${req.getPath()}?${downgradedQuery}`; try { const [resOriginal, resDowngraded] = await Promise.all([ fetch(new FetchRequest(url, { method: "GET" })), - fetch(new FetchRequest(downgradedUrl, { method: "GET" })) + fetch(new FetchRequest(downgradedUrl, { method: "GET" })), ]); const [bodyOriginal, bodyDowngraded] = await Promise.all([ resOriginal.text(), - resDowngraded.text() + resDowngraded.text(), ]); const statusEqual = resOriginal.status === resDowngraded.status; diff --git a/playground/.gitignore b/playground/.gitignore deleted file mode 100644 index a14702c..0000000 --- a/playground/.gitignore +++ /dev/null @@ -1,34 +0,0 @@ -# dependencies (bun install) -node_modules - -# output -out -dist -*.tgz - -# code coverage -coverage -*.lcov - -# logs -logs -_.log -report.[0-9]_.[0-9]_.[0-9]_.[0-9]_.json - -# dotenv environment variable files -.env -.env.development.local -.env.test.local -.env.production.local -.env.local - -# caches -.eslintcache -.cache -*.tsbuildinfo - -# IntelliJ based IDEs -.idea - -# Finder (MacOS) folder config -.DS_Store diff --git a/playground/PKCEDowngrade/.gitignore b/playground/PKCEDowngrade/.gitignore new file mode 100644 index 0000000..506e4c3 --- /dev/null +++ b/playground/PKCEDowngrade/.gitignore @@ -0,0 +1,2 @@ +# deps +node_modules/ diff --git a/playground/PKCEDowngrade/README.md b/playground/PKCEDowngrade/README.md new file mode 100644 index 0000000..6dd13e7 --- /dev/null +++ b/playground/PKCEDowngrade/README.md @@ -0,0 +1,11 @@ +To install dependencies: +```sh +bun install +``` + +To run: +```sh +bun run dev +``` + +open http://localhost:3000 diff --git a/playground/bun.lock b/playground/PKCEDowngrade/bun.lock similarity index 75% rename from playground/bun.lock rename to playground/PKCEDowngrade/bun.lock index 0a70737..ec75146 100644 --- a/playground/bun.lock +++ b/playground/PKCEDowngrade/bun.lock @@ -2,13 +2,13 @@ "lockfileVersion": 1, "workspaces": { "": { - "name": "playground", + "name": "PKCEDowngrade", + "dependencies": { + "hono": "^4.7.10", + }, "devDependencies": { "@types/bun": "latest", }, - "peerDependencies": { - "typescript": "^5", - }, }, }, "packages": { @@ -18,7 +18,7 @@ "bun-types": ["bun-types@1.2.14", "", { "dependencies": { "@types/node": "*" } }, "sha512-Kuh4Ub28ucMRWeiUUWMHsT9Wcbr4H3kLIO72RZZElSDxSu7vpetRvxIUDUaW6QtaIeixIpm7OXtNnZPf82EzwA=="], - "typescript": ["typescript@5.8.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ=="], + "hono": ["hono@4.7.10", "", {}, "sha512-QkACju9MiN59CKSY5JsGZCYmPZkA6sIW6OFCUp7qDjZu6S6KHtJHhAc9Uy9mV9F8PJ1/HQ3ybZF2yjCa/73fvQ=="], "undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="], } diff --git a/playground/PKCEDowngrade/package.json b/playground/PKCEDowngrade/package.json new file mode 100644 index 0000000..00ae1aa --- /dev/null +++ b/playground/PKCEDowngrade/package.json @@ -0,0 +1,12 @@ +{ + "name": "PKCEDowngrade", + "scripts": { + "dev": "bun run --hot src/index.ts" + }, + "dependencies": { + "hono": "^4.7.10" + }, + "devDependencies": { + "@types/bun": "latest" + } +} \ No newline at end of file diff --git a/playground/PKCEDowngrade/src/index.ts b/playground/PKCEDowngrade/src/index.ts new file mode 100644 index 0000000..4c61f36 --- /dev/null +++ b/playground/PKCEDowngrade/src/index.ts @@ -0,0 +1,94 @@ +import { Hono } from 'hono' +import { randomBytes, createHash } from 'crypto' +import { Buffer } from 'buffer' + +const app = new Hono() + +// In-memory PKCE store (should use Redis or similar in production) +const pkceStore = new Map() + +const generateCodeVerifier = () => { + return randomBytes(32).toString('hex') +} + +const generateCodeChallenge = (verifier: string) => { + const hash = createHash('sha256').update(verifier).digest() + return hash.toString('base64url') +} + +// Step 1: Redirect to GitHub with PKCE +app.get('/login', (c) => { + const codeVerifier = generateCodeVerifier() + const codeChallenge = generateCodeChallenge(codeVerifier) + const state = randomBytes(8).toString('hex') + + pkceStore.set(state, codeVerifier) + + const params = new URLSearchParams({ + client_id: process.env.GITHUB_CLIENT_ID!, + redirect_uri: 'http://localhost:8787/callback', + scope: 'read:user', + state, + response_type: 'code', + code_challenge: codeChallenge, + code_challenge_method: 'S256', + }) + + return c.redirect(`https://github.com/login/oauth/authorize?${params}`) +}) + +// Step 2: GitHub redirects back here +app.get('/callback', async (c) => { + const url = new URL(c.req.url) + const code = url.searchParams.get('code') + const state = url.searchParams.get('state') + + if (!code || !state) { + return c.text('Missing code or state', 400) + } + + const codeVerifier = pkceStore.get(state) + if (!codeVerifier) { + return c.text('Invalid or expired state', 400) + } + + // Step 3: Exchange code + verifier for token + const tokenRes = await fetch('https://github.com/login/oauth/access_token', { + method: 'POST', + headers: { + Accept: 'application/json', + 'Content-Type': 'application/json', + }, + body: JSON.stringify({ + client_id: process.env.GITHUB_CLIENT_ID, + client_secret: process.env.GITHUB_CLIENT_SECRET, + code, + redirect_uri: 'http://localhost:8787/callback', + code_verifier: codeVerifier, + }), + }) + + const tokenData = await tokenRes.json() + if (!tokenData.access_token) { + return c.text('Failed to get access token', 500) + } + + // Step 4: Use token to fetch user profile + const userRes = await fetch('https://api.github.com/user', { + headers: { + Authorization: `Bearer ${tokenData.access_token}`, + 'User-Agent': 'hono-app', + }, + }) + + const user = await userRes.json() + return c.json({ + message: 'GitHub login successful!', + user, + }) +}) + +export default { + port: 8787, + fetch: app.fetch, +} \ No newline at end of file diff --git a/playground/PKCEDowngrade/tsconfig.json b/playground/PKCEDowngrade/tsconfig.json new file mode 100644 index 0000000..c442b33 --- /dev/null +++ b/playground/PKCEDowngrade/tsconfig.json @@ -0,0 +1,7 @@ +{ + "compilerOptions": { + "strict": true, + "jsx": "react-jsx", + "jsxImportSource": "hono/jsx" + } +} \ No newline at end of file diff --git a/playground/README.md b/playground/README.md deleted file mode 100644 index 4a3109f..0000000 --- a/playground/README.md +++ /dev/null @@ -1,15 +0,0 @@ -# playground - -To install dependencies: - -```bash -bun install -``` - -To run: - -```bash -bun run -``` - -This project was created using `bun init` in bun v1.2.14. [Bun](https://bun.sh) is a fast all-in-one JavaScript runtime. diff --git a/playground/package.json b/playground/package.json deleted file mode 100644 index 0bbbfb8..0000000 --- a/playground/package.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "name": "playground", - "private": true, - "devDependencies": { - "@types/bun": "latest" - }, - "peerDependencies": { - "typescript": "^5" - } -} diff --git a/playground/src/PKCEDowngradeExpress.js b/playground/src/PKCEDowngradeExpress.js deleted file mode 100644 index 61cf737..0000000 --- a/playground/src/PKCEDowngradeExpress.js +++ /dev/null @@ -1,31 +0,0 @@ -const express = require("express"); -const app = express(); - -app.get("/auth", (req, res) => { - const { - client_id, - response_type, - code_challenge, - code_challenge_method, - scope - } = req.query; - - console.log("Incoming request:", req.query); - - if (!client_id || response_type !== "code") { - return res.status(400).send("Missing required parameters"); - } - - // Simulate issuing an authorization code - const code = "dummy-auth-code"; - - // Simulate PKCE check (normally you'd validate here) - // We deliberately allow the downgrade here to simulate the vulnerability - const responseBody = `Authorization successful. code=${code}`; - return res.status(200).send(responseBody); -}); - -const PORT = 5050; -app.listen(PORT, () => { - console.log(`Test PKCE server running on http://localhost:${PORT}`); -}); diff --git a/playground/tsconfig.json b/playground/tsconfig.json deleted file mode 100644 index bfa0fea..0000000 --- a/playground/tsconfig.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "compilerOptions": { - // Environment setup & latest features - "lib": ["ESNext"], - "target": "ESNext", - "module": "Preserve", - "moduleDetection": "force", - "jsx": "react-jsx", - "allowJs": true, - - // Bundler mode - "moduleResolution": "bundler", - "allowImportingTsExtensions": true, - "verbatimModuleSyntax": true, - "noEmit": true, - - // Best practices - "strict": true, - "skipLibCheck": true, - "noFallthroughCasesInSwitch": true, - "noUncheckedIndexedAccess": true, - "noImplicitOverride": true, - - // Some stricter flags (disabled by default) - "noUnusedLocals": false, - "noUnusedParameters": false, - "noPropertyAccessFromIndexSignature": false - } -} From e868cbec676528332494086f58e7cfbbaeb0e26e Mon Sep 17 00:00:00 2001 From: "tv0924@icloud.com" Date: Wed, 28 May 2025 14:11:53 +0900 Subject: [PATCH 07/20] =?UTF-8?q?csrf(state)=20=EA=B4=80=EB=A0=A8=20?= =?UTF-8?q?=EC=B7=A8=EC=95=BD=EC=A0=90=20=ED=83=90=EC=A7=80=20=EA=B8=B0?= =?UTF-8?q?=EB=8A=A5=20=EC=B6=94=EA=B0=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- dist/plugin_package.zip | Bin 0 -> 11096 bytes package.json | 2 +- packages/backend/src/controller/csrfCheck.ts | 178 +++++++++++++++++ packages/backend/src/index.ts | 34 +++- packages/backend/src/utils/http.ts | 193 +++++++++++++++++++ 5 files changed, 400 insertions(+), 7 deletions(-) create mode 100644 dist/plugin_package.zip create mode 100644 packages/backend/src/controller/csrfCheck.ts create mode 100644 packages/backend/src/utils/http.ts diff --git a/dist/plugin_package.zip b/dist/plugin_package.zip new file mode 100644 index 0000000000000000000000000000000000000000..a321b3b7a1ce78282a403d57a664b8d3f0a1ed8b GIT binary patch literal 11096 zcmWIWW@h1H0D;#Ud!j%z40A9rFeD`=XQ$?+=tES2M9@_UAgRjCOG&NJ%PQ8_S13qK z&Q45EE!KybP+XL(Us{rxQ>>p+Qc|E-Qp{DBSfr4dS6q^qmz=6#tB_ZklVc4Q^e8DQ z2n8usuvJLTNh~f_sOC~o(AU!9QczIPQh3w7@zsuow=G)~-pt+crfbRDmMw3(mb_lN zN8wHL+&3*7-%efmy1V0b_Yys@dVMYhh2;Fa;*z4$0>)t5}uQtqmvuVqlxib{r zHZ6HGvq9n2hDmScwkW(=(DHg)gTkA(p4V%3yqP!Q^};y{uQxZmojC)|7YYsqiA9OI z3K^-1DXB%p3JSUkL8;04MJYDLB}JKe={gD!TA>EYh>o>Wcspb2+vYi7TOrPPy?iUk zD_RN;5O)_VK!GlbyS6C2UbW)�l8k^?Je_g*VL|3Q&*1Oaz5;PJVf6k#k~ks$))$ z2gIEkQ1`+D7#tA_MXAN5IVB3V3e~lcP)y4&QqX|NMHeNOd#6_FC=?}@hb88erp7Ad zrz!X+Wu+#U=%wbB6lJCs!%c-53yoog?9@sHTaZrg)JnaQd>@#DG&CXhKw{mos3@^g zFS8g-YryQ$L>LB21|SzkXQx)iLJR~uMK3q8KtrQUQ^D3wp$yf0xCONesX4`|&@=`L zU5IBfjKb%YDr*eYEfkXC^5Jd<>!V5d1{mvW$J*u4)Z{1 zQKo{eLTOPZsuMwGD1g){*n&uGk|jlzaF;`(qqHc;KPd~8JyXjSLW6ujmcjiBbs|KK zUU6z-QE~>@WyN~wsU;fOsg+QrwF=3JCCM2I8mTZhf`S;F(;(R%6i^`lfv~>50@#lz zd4BPpH`BJfS>B@XX8)eo%ho7Bvdf$4TQmwm;i36v`h+(vb3p!jGkt=>+o@Y#ckg^V zb;j#1P~HP)wbvVF;LcWHLqM5IDbdzYEy>nMPft%t0g->uZB@{Cy?lkjo2l~@>=i(E zyqVqxa^KWF3h;cZ3C(Gcd<#mM3Lpz!ZD@G2V8@#oOI~eWpzx-9+nc!!3U7OQUeDe0 zdi{>KEgKZx%-!;OSqoG%B!r>aR2S+mRQ0bmOwv&R**|B`>y=x;#VA-aC`Y0s7f48< zq!fs^Z56;YwgdrkHqO)nNg-hW6(dqeFj6vrSP4x85Wgru)T1O2aIC|NcOs%16wkJ0 zpwaJ1;skelhqq&7%V_d z94Lti9P$d_U<0`cq2<+vN#G=dRxRi%z?`j?Y-^03Bf#E&GYd1M!A5~nUomoF1xX6v z)TaY+1FR^31QNN45aJzMh>_TmFo~%Y97x4_#gOs~=2S@8iJF2-@`J%uFQjrIISu0~ zu8<1@aO!Sa`)0u$jg-`!)RI(9XetMXG3iO&0qi?Sb_XQ^Sp1^LEm|2%erfjx?D)4+ z@g+-0sKU!Qh!#jQqY>JCf#fy3iLEF#H@_?uTycP_Af)t0orFeSI)X$SQdJ1?Evyv8 zl7{pZplv7Y^&g_$1+DV(5_3~A>by6bRx7;T)bVEd4p>7C+Tg@q1VYmVw6O-NjKS^8 z;)49V;#5#k4Rw-+rUIyhgc$;@UO`P;NP>i#19B4B5J-);YtQSZEy&d!q%jI9n-nzO z%;>OEP|C?qPAtjH&r{M-P;$=CD@n~O(G96ANL7N>qmY1uCKIsfi24w0AgG;-?Z`vx@+S)2WtcAH96g(ic;1({tr3(yA|Pjg%0&>3+bXDL1yr37eGn27^>Bkh zg76O38+dbpxSRo11GDx`Dsdihp-?S)r6HoRH51(vfQ=@^vy zUiUO0dU8wmD7@ah<;}t^Z&CZB3c8TM0%asfpY6@u9SW~D?R_(AgF-aeL9q&umgnn* zb71|t=vX9GueR@a-O~Va_M4_PZ)UB;v;pEmM6m#ME67enQxQ_CDqwBFpyX#*RsdBQ zZ=05YOo0X?#P2$g?(7yst6bsrh7E6~ZvnX(suI>wgf)#o*#nX;bU{5{aNsY1IuqO= zTh;V1`a~7(Ym0XDma+nt)o{PCMjq@ zf?eVDj0vE&JA@Ysi~Rd}i<)xNG+yZK|W9xv! z3Z-I7%Otp)kc%aR^{_56wn9n)Q7AyO1gu2C=wB0IV6i5|ykZ3_a1JYug_{OS=gysaKqzo2miUrl6pa4IT@~Mh$InfeiONSShp%1S*pi zAvPew1YvkIC{ut297qWgP-zG+ToGo0dvrl5S=we!t_snA@f@p|$SPe94=gYhO=58A?R!A3^=2fTMs|Fz3xo!bJn5 z-3rZ-s4Wq=*I;P{7LX*C4JEJ;vQBoy7K z^3ePR$x&&UIVGt@sVO+d`^YG66k$Hn%gjs8DNRW&1~srzoq*ELfjI$ZkwaVw0d0rC zOoL>xT5B#YTm#<8`FSNp`8heMMf%CbMQP3%sma-}p>NPIIBb+VFST3&KI#qXPlCqA zonbmqhQTw7{S!+|GD3?oHHuOTOH+$WV5tKV+OXak0yP$@YlGc~UyJ~PEuNfXrmgY=+~6cnXGIt1}0l?ACFMKv{$t|XG0^rFPP5_}4Z zQd2UEQj<&KON%mbm{FXZkJJ3(lEe~_-AK_3jg^w3(o~4&K*b)sL`+M}DF%y!M4^Ef z1a(6Y)I%CDpP>dN$gWaQRREI)1*UU;N-8LZK$#yB;;^0zBo8atD!^kFq#hy)srSKE z0mx;La70KKYiQ~~B@rDVumDoU0dL0?Bi64B^lsUi<};CD}p8rP%6i%C^t0FpI9F$_@+jYmj|0YzLYI7y(V7O-NZ@e7b|lt5i#uofk#Dd1)VSOjbc%n6{B z1s+p}r+Kuw1XvaUWrbu=Sp@cwV+kxD_(1#MkTeS`Uvxlo5a5vjm_=awH9(VKde9t& zQXHwNfhWlHGK<0HV+0sN9$b{+&W)Iv+yFU;Ljn_bkV66wq64BfzbG?3GcPd*>@GrK zucM#@4r5rTLySO8Tj*v$LJk}&ur?wr1A)>4M4Di3hu8$uNWihMSs-w6p@5c=Awd8y zTOj@ct3*ypC^o?&8J?P=A;AC{vPvyUEmFuVR>;jPF3!wLSIEp$D9K2Lrx3XH(1}VV zXiET;;vlsSY7~Hm7D%-{H?uewJe!o1T2h{xnx_EGi3*8%DR76NT3iH~)di;>kW)bQ zbx~$nVo9n(VsT|&vH~JE1f`Z1gWLD|`U;>R09UbA3PF$z4GKxH1jHM#j02K~lncD-J+*mkA0h|^<4f@v`=Dga`32xBOn(}7TTF|UIh7q7F z4>L|dK@pU=!TtbMgNk@c0)!p~SfPMD)1w9`s4osRAI^j%OsFV4MnRtQ%P&z#gbsn} zDCFfUI0py0DHLTEXTz+AMmlVs7}YY=Vvj(UhT4y60!H43szRyE!D8TS2WCMsIm8^| zvp86*f&xSvEcu~%0Nl=lr&I-4F$N0@bSFTw543DTt-PRukOmLfZiut<@}2YZvolkn z@+e`3+M_`=T}L5WDH*I&DHh!wd8y?v4=LCxB$g*;mLN5yic*VH^HLCX5_m}nD2pmU zi<)991vFQ|gP<0RRcK*`ztslzxqE%$1y15LQ)IVR$E(; zKfoMpIVu{KOh7qX39JmM&QGciX2o-dW) zaigFBt|Gu849}$~xf?k@E2N~Bq$Zc7ra)W?(tuQerxs}xr(}cLE8tQa#DJ8_5RWP- zY6!^UlY|6F(*P7gcuFt@Sn&o93-rbe%w$ki0a`Mmplz$51ox&Dyq*M?wupd) zcEdpKhm}cS6}Z}B;GQFN;gKGqvcjbtkxgKgD>w&0YG5KP0#(Zf*u0jYqo7hv*Z{q( z{LDNJP`g#L78=SBuY$rFvLFW8ba0~;A`FQVv_U?2asannKql34;p=uo)}cX{n87>V z&?O4+ZZ)V-ODoMw2F*GtWaed-fD#YHS;Z;YdZ}fpc_qbq`FWmsC8*(bNJ>S~4bBE=Nfc5DLYoqLi8(nM zFf)MC?Dpf7waV#r6!i7YCv2EQdE*zl9OtspcIf_T%4Jd zld2FL?5_YXeqErs44h3t$`uq+Qj3#|G7CU~Wu=f19PF=Kl$w)RlA3}@)Wz`J2`V69 zDbI?FOQpIfwGdQd`lgm-Pu02Sy8P;(R%pq_xP$^^Rz6x2%DnR#H} zVMxGyhamx4i&t5YpP5$z@&;5|ACmR5iV-FkmFAUX=B9!aWhIs+LQ)aP-H_Od<*Eh6 zi)Lt0Z!9AN0|*CrGct)V;9ispS)dA9cnV^{Y=-HAEmB2}X_#7&dIknHEK63=btAh6 hlo}v9LF8`@w6qc6&B_LnU}j)uSkJ(~Fj))40{{oK)X@L{ literal 0 HcmV?d00001 diff --git a/package.json b/package.json index 7d2ba1b..ccb27ef 100644 --- a/package.json +++ b/package.json @@ -1,5 +1,5 @@ { - "name": "caido-oauth", + "name": "caido-oauth-dev", "version": "0.0.0", "private": true, "scripts": { diff --git a/packages/backend/src/controller/csrfCheck.ts b/packages/backend/src/controller/csrfCheck.ts new file mode 100644 index 0000000..371033f --- /dev/null +++ b/packages/backend/src/controller/csrfCheck.ts @@ -0,0 +1,178 @@ +import type { Request, Response } from "caido:utils"; +import type { SDK, DefineAPI } from "caido:plugin"; +import { HttpUtils } from "../utils/http"; + +const httpUtils = new HttpUtils(); + +export class CsrfCheck { + private isOauthUri(request: Request): boolean { + const query = request.getQuery() || ""; + + // Check if the request is an OAuth authorization request + if ( + query.includes("client_id=") && + (query.includes("response_type=") || + query.includes("grant_type=") || + query.includes("redirect_uri=") || + query.includes("scope=") || + query.includes("state=")) + ) { + return true; + } + + return false; + } + + private isOauthRedirectResponse(response: Response): boolean { + const status = response.getCode(); + const locationHeader = httpUtils.getHeaderValue( + response.getHeaders(), + "location" + ); + + if ( + status >= 300 && + status < 400 && + locationHeader && + (locationHeader.includes("client_id=") || + locationHeader.includes("response_type=") || + locationHeader.includes("grant_type=") || + locationHeader.includes("redirect_uri=") || + locationHeader.includes("scope=") || + locationHeader.includes("state=") || + locationHeader.includes("code=")) // code is also common in OAuth redirects + ) { + return true; + } + return false; + } + + private isStateInQuery(request: Request): boolean { + const query = request.getQuery(); + const stateValue = httpUtils.getQueryParam(query || "", "state"); + if (!stateValue) { + return false; + } + return true; + } + + private checkStateAtResponseLocationHeader( + request: Request, + response: Response + ): string[] | 0 { + if ( + !( + this.isOauthUri(request) && + this.isStateInQuery(request) && + this.isOauthRedirectResponse(response) + ) + ) { + return 0; // Not a target, no CSRF risk + } + + // 요청에서 보낸 state 추출 + const query = request.getQuery() || ""; + const originalState = httpUtils.getQueryParam(query, "state"); + + // 리다이렉트 URL에서 쿼리 부분만 추출 + const locationHeader = httpUtils.getHeaderValue( + response.getHeaders(), + "location" + ); + const responseState = httpUtils.getQueryParamFromURI( + locationHeader || "", + "state" + ); + + // state가 없거나, 요청값과 다르면 CSRF 위험 + if (!responseState) { + // missing state + return ["state parameter is missing in the response location header"]; + } + if (originalState !== responseState) { + // mismatch + return ["state parameter mismatch between request and response"]; + } + + return 0; // no CSRF risk detected + } + + // private async checkStateReuse( + // request: Request, + // originResponse: Response + // ): Promise { + // // uri에 oauth 관련 파라미터가 없지만, 응답이 oauth 리다이렉트 응답인지 확인 + // // 즉, 처음으로 state를 발급한 요청인지 확인 + // if ( + // !( + // !this.isOauthUri(request) && + // this.isOauthRedirectResponse(originResponse) + // ) + // ) { + // return 0; // Not a target, no CSRF risk + // } + + // const originResponseLocationHeader = httpUtils.getHeaderValue( + // originResponse.getHeaders(), + // "location" + // ); + // const originState = httpUtils.getQueryParamFromURI( + // originResponseLocationHeader || "", + // "state" + // ); + + // const requestHeaders = request.getHeaders(); + // const noCookieHeaders = httpUtils.removeHeaders(requestHeaders, ["cookie"]); + // const newResponse = await httpUtils.resend(request, { + // headers: noCookieHeaders, + // }); + // const newLocationHeader = httpUtils.getHeaderValue( + // newResponse.getHeaders(), + // "location" + // ); + // const newState = httpUtils.getQueryParamFromURI( + // newLocationHeader || "", + // "state" + // ); + + // if (originState === newState) { + // return [ + // "State parameter reused in the response location header, indicating a potential CSRF risk", + // ]; + // } + + // return 0; // no CSRF risk detected + // } + + async checker( + sdk: SDK, {}>, + request: Request, + response: Response + ): Promise { + let result = ``; + + // 쿼리에 state 파라미터가 없으면 CSRF 위험 + if (this.isOauthUri(request) && !this.isStateInQuery(request)) { + result += "CSRF risk: missing state parameter"; // CSRF risk: missing state parameter + } + + // location 헤더에 state 파라미터가 없거나, 요청에서 보낸 state와 다르면 CSRF 위험 + const stateAtResponseLocationHeaderCheck = + this.checkStateAtResponseLocationHeader(request, response); + if (stateAtResponseLocationHeaderCheck !== 0) { + result += `, ${stateAtResponseLocationHeaderCheck.join(", ")}`; + } + + // // 처음으로 state를 발급한 요청에서 state 파라미터를 바꿔서 보내기 + // const reusedStateCheck = await this.checkStateReuse(request, response); + // if (reusedStateCheck !== 0) { + // result += `, ${reusedStateCheck.join(", ")}`; + // } + + if (result) { + return result; // CSRF risk detected + } else { + return 0; // No CSRF risk detected + } + } +} diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts index 7633932..8a8ca26 100644 --- a/packages/backend/src/index.ts +++ b/packages/backend/src/index.ts @@ -1,5 +1,6 @@ import type { SDK, DefineAPI } from "caido:plugin"; import type { Request } from "caido:utils"; +<<<<<<< HEAD import { ImplicitGrantController } from "./controller/implictGrant"; import { AuthZCodeGrantController } from "./controller/authZCodeGrant"; import { PKCECheck } from "./controller/PKCECheck"; @@ -27,19 +28,40 @@ const pkceCheck = new PKCECheck(); // const match = /"access_token"\s*:\s*"([^"]+)"/.exec(raw); // return !!match; // } +======= +// import { ImplicitGrantController } from "./controller/implictGrant"; +// import { AuthZCodeGrantController } from "./controller/authZCodeGrant"; +import { CsrfCheck } from "./controller/csrfCheck"; + +export type API = DefineAPI<{}>; +const csrfCheck = new CsrfCheck(); +>>>>>>> 8de17eb (csrf(state) 관련 취약점 탐지 기능 추가) export function init(sdk: SDK) { - sdk.events.onInterceptRequest(async (sdk, req: Request) => { - const result = - authZCodeGrantController.testReq(req) || - implicitGrantController.testReq(req); + // sdk.events.onInterceptRequest(async (sdk, req: Request) => { + // const result = csrfCheck.checker(req); + + // if (result) { + // await sdk.findings.create({ + // title: "Possible SSO Request Detected", + // description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`, + // request: req, + // reporter: "", + // }); + // } + // }); + + sdk.events.onInterceptResponse(async (sdk, req: Request, resp) => { + const funcList = [csrfCheck.checker(sdk, req, resp)]; + + let result = await Promise.all(funcList); if (result) { await pkceCheck.test(sdk, req); await sdk.findings.create({ - title: "Possible SSO Request Detected", - description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`, + title: "Possible SSO Response Detected", + description: `SSO-related parameters detected in response:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`, request: req, reporter: "", }); diff --git a/packages/backend/src/utils/http.ts b/packages/backend/src/utils/http.ts new file mode 100644 index 0000000..91a6527 --- /dev/null +++ b/packages/backend/src/utils/http.ts @@ -0,0 +1,193 @@ +let instance: HttpUtils | null = null; +export class HttpUtils { + /** + * 싱글턴 인스턴스를 생성합니다. + */ + public constructor() { + if (instance) { + return instance; + } + instance = this; + return instance; + } + + /** + * 헤더 객체의 키와 값을 전부 소문자로 변환합니다. + * @param headers - Record 형태의 헤더 맵 + * @returns - 키와 값이 모두 소문자로 변환된 새 헤더 맵 + */ + lowerCaseAllHeaders( + headers: Record + ): Record { + const result: Record = {}; + + for (const [rawKey, rawValue] of Object.entries(headers)) { + const key = rawKey.toLowerCase(); + + if (Array.isArray(rawValue)) { + // 배열이면 각 요소를 소문자로 + result[key] = rawValue.map((v) => v.toLowerCase()); + } else { + // 단일 문자열이면 바로 소문자로 + result[key] = rawValue.toLowerCase(); + } + } + + return result; + } + + getQueryParamFromURI(uri: string, key: string): string | null { + uri = uri.toLowerCase(); + key = key.toLowerCase(); + try { + const urlObj = new URL(uri); + return urlObj.searchParams.get(key); + } catch (e) { + return null; + } + } + + // Query + /** + * 주어진 쿼리 문자열(query)에서 key에 해당하는 값을 반환합니다. + * @param query - "a=1&b=2..." 형태의 쿼리 문자열 (맨 앞 ? 는 없어야 합니다) + * @param key - 가져오고 싶은 파라미터 이름 + * @returns - 해당 파라미터 값, 없으면 null + */ + getQueryParam(query: string, key: string): string | null { + query = query.toLowerCase(); + key = key.toLowerCase(); + + const params = new URLSearchParams(query); + return params.get(key); + } + + /** + * 주어진 쿼리 문자열(query)에 key=value를 설정하고, 전체 쿼리 문자열을 반환합니다. + * - 이미 key가 있으면 덮어쓰기(set), 없으면 새로 추가합니다. + * @param query - "a=1&b=2..." 형태의 쿼리 문자열 (맨 앞 ? 는 없어야 합니다) + * @param key - 설정할 파라미터 이름 + * @param value - 설정할 값 + * @returns - "a=1&b=2&c=3..." 형태의 새로운 쿼리 문자열 + */ + setQueryParam(query: string, key: string, value: string): string { + query = query.toLowerCase(); + key = key.toLowerCase(); + value = value.toLowerCase(); + + const params = new URLSearchParams(query); + params.set(key, value); + return params.toString(); + } + + /** + * 주어진 쿼리 문자열(query)에서 key에 해당하는 파라미터를 삭제(delete)하고, + * 전체 쿼리 문자열을 반환합니다. + * @param query - "a=1&b=2..." 형태의 쿼리 문자열 (맨 앞 ? 는 없어야 합니다) + * @param key - 삭제할 파라미터 이름 + * @returns - 삭제된 상태의 새로운 쿼리 문자열 + */ + removeQueryParam(query: string, key: string): string { + query = query.toLowerCase(); + key = key.toLowerCase(); + + const params = new URLSearchParams(query); + params.delete(key); + return params.toString(); + } + + // Headers + /** + * 주어진 헤더 맵에서 name에 해당하는 첫 번째 헤더 값을 반환합니다. + * @param headers - Response.getHeaders() 가 반환하는 객체 + * @param name - 꺼내고 싶은 헤더 이름 (예: "location", "Content-Type") + * @returns - 해당 헤더의 첫 번째 값, 없으면 null + */ + getHeaderValue( + headers: Record, + name: string + ): string | null { + headers = this.lowerCaseAllHeaders(headers); + const target = name.toLowerCase(); + + for (const [key, value] of Object.entries(headers)) { + if (key.toLowerCase() === target) { + if (Array.isArray(value)) { + // 배열 형태일 때 첫 번째 요소가 비어있을 수도 있으니 안전하게 처리 + return value.length > 0 && + value[0] !== undefined && + value[0].length > 0 + ? value[0] + : null; + } + // 문자열일 때 + return value.length > 0 ? value : null; + } + } + return null; + } + + /** + * 주어진 헤더 맵에서 name에 해당하는 헤더 값을 value로 변경한 새 맵을 반환합니다. + * - 기존 헤더 이름의 대소문자를 보존합니다. + * - value가 string인 경우 [value] 형태로, string[]인 경우 그대로 사용합니다. + * - 기존에 해당 헤더가 없으면 새로 추가합니다. + * + * @param headers - 키가 헤더 이름, 값이 문자열 배열인 헤더 맵 + * @param name - 변경할 헤더 이름 (예: "Authorization", "X-Custom-Header") + * @param value - 새로 설정할 값 (string 또는 string[]) + * @returns - 지정된 헤더가 업데이트된 새로운 헤더 맵 + */ + setHeaderValue( + headers: Record, + name: string, + value: string | string[] + ): Record { + headers = this.lowerCaseAllHeaders(headers); + const lowerName = name.toLowerCase(); + const newHeaders: Record = {}; + + // 1) 기존 헤더 복사하되, name과 일치하는 항목은 value로 대체 + for (const [key, vals] of Object.entries(headers)) { + if (key.toLowerCase() === lowerName) { + newHeaders[key] = Array.isArray(value) ? value : [value]; + } else { + newHeaders[key] = Array.isArray(vals) ? vals : [vals]; + } + } + + // 2) 해당 헤더가 원래 없었다면 새로 추가 + const exists = Object.keys(newHeaders).some( + (k) => k.toLowerCase() === lowerName + ); + if (!exists) { + newHeaders[name] = Array.isArray(value) ? value : [value]; + } + + return newHeaders; + } + + /** + * 주어진 헤더 맵에서 특정 이름(들)에 해당하는 헤더를 제거한 새 맵을 반환합니다. + * @param headers - 키가 헤더 이름, 값이 문자열 배열인 헤더 맵 + * @param namesToRemove - 제거할 헤더 이름(하나 혹은 배열). 대소문자 구분 없이 매칭됩니다. + * @returns - 지정된 헤더가 제외된 새로운 헤더 맵 + */ + removeHeaders( + headers: Record, + namesToRemove: string | string[] + ): Record { + headers = this.lowerCaseAllHeaders(headers); + const toRemove = Array.isArray(namesToRemove) + ? namesToRemove.map((n) => n.toLowerCase()) + : [namesToRemove.toLowerCase()]; + + const filtered: Record = {}; + for (const [key, vals] of Object.entries(headers)) { + if (!toRemove.includes(key.toLowerCase())) { + filtered[key] = Array.isArray(vals) ? vals : [vals]; + } + } + return filtered; + } +} From 366f90e5a8bfe1bc61d4b86c90c5eb7fa4883268 Mon Sep 17 00:00:00 2001 From: "tv0924@icloud.com" Date: Wed, 28 May 2025 14:30:55 +0900 Subject: [PATCH 08/20] =?UTF-8?q?[Add]=20csrf=20=ED=85=8C=EC=8A=A4?= =?UTF-8?q?=ED=8A=B8=20=EC=B6=94=EA=B0=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- playground/{ => pkce}/.gitignore | 0 playground/{ => pkce}/README.md | 0 playground/{ => pkce}/bun.lock | 0 playground/{ => pkce}/package.json | 0 playground/{ => pkce}/src/PKCEDowngradeExpress.js | 0 playground/{ => pkce}/tsconfig.json | 0 6 files changed, 0 insertions(+), 0 deletions(-) rename playground/{ => pkce}/.gitignore (100%) rename playground/{ => pkce}/README.md (100%) rename playground/{ => pkce}/bun.lock (100%) rename playground/{ => pkce}/package.json (100%) rename playground/{ => pkce}/src/PKCEDowngradeExpress.js (100%) rename playground/{ => pkce}/tsconfig.json (100%) diff --git a/playground/.gitignore b/playground/pkce/.gitignore similarity index 100% rename from playground/.gitignore rename to playground/pkce/.gitignore diff --git a/playground/README.md b/playground/pkce/README.md similarity index 100% rename from playground/README.md rename to playground/pkce/README.md diff --git a/playground/bun.lock b/playground/pkce/bun.lock similarity index 100% rename from playground/bun.lock rename to playground/pkce/bun.lock diff --git a/playground/package.json b/playground/pkce/package.json similarity index 100% rename from playground/package.json rename to playground/pkce/package.json diff --git a/playground/src/PKCEDowngradeExpress.js b/playground/pkce/src/PKCEDowngradeExpress.js similarity index 100% rename from playground/src/PKCEDowngradeExpress.js rename to playground/pkce/src/PKCEDowngradeExpress.js diff --git a/playground/tsconfig.json b/playground/pkce/tsconfig.json similarity index 100% rename from playground/tsconfig.json rename to playground/pkce/tsconfig.json From 5042a108d87b40b245c6f800fa033e5639c3de1a Mon Sep 17 00:00:00 2001 From: "tv0924@icloud.com" Date: Wed, 28 May 2025 14:56:14 +0900 Subject: [PATCH 09/20] [Add] csrf --- playground/csrf/index.js | 0 playground/csrf/package-lock.json | 816 ++++++++++++++++++++++++++++++ playground/csrf/package.json | 14 + 3 files changed, 830 insertions(+) create mode 100644 playground/csrf/index.js create mode 100644 playground/csrf/package-lock.json create mode 100644 playground/csrf/package.json diff --git a/playground/csrf/index.js b/playground/csrf/index.js new file mode 100644 index 0000000..e69de29 diff --git a/playground/csrf/package-lock.json b/playground/csrf/package-lock.json new file mode 100644 index 0000000..c676398 --- /dev/null +++ b/playground/csrf/package-lock.json @@ -0,0 +1,816 @@ +{ + "name": "csrf", + "version": "1.0.0", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "csrf", + "version": "1.0.0", + "license": "ISC", + "dependencies": { + "express": "^5.1.0" + } + }, + "node_modules/accepts": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/accepts/-/accepts-2.0.0.tgz", + "integrity": "sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng==", + "license": "MIT", + "dependencies": { + "mime-types": "^3.0.0", + "negotiator": "^1.0.0" + }, + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/body-parser": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-2.2.0.tgz", + "integrity": "sha512-02qvAaxv8tp7fBa/mw1ga98OGm+eCbqzJOKoRt70sLmfEEi+jyBYVTDGfCL/k06/4EMk/z01gCe7HoCH/f2LTg==", + "license": "MIT", + "dependencies": { + "bytes": "^3.1.2", + "content-type": "^1.0.5", + "debug": "^4.4.0", + "http-errors": "^2.0.0", + "iconv-lite": "^0.6.3", + "on-finished": "^2.4.1", + "qs": "^6.14.0", + "raw-body": "^3.0.0", + "type-is": "^2.0.0" + }, + "engines": { + "node": ">=18" + } + }, + "node_modules/bytes": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz", + "integrity": "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/call-bind-apply-helpers": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz", + "integrity": "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==", + "license": "MIT", + "dependencies": { + "es-errors": "^1.3.0", + "function-bind": "^1.1.2" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/call-bound": { + "version": "1.0.4", + "resolved": "https://registry.npmjs.org/call-bound/-/call-bound-1.0.4.tgz", + "integrity": "sha512-+ys997U96po4Kx/ABpBCqhA9EuxJaQWDQg7295H4hBphv3IZg0boBKuwYpt4YXp6MZ5AmZQnU/tyMTlRpaSejg==", + "license": "MIT", + "dependencies": { + "call-bind-apply-helpers": "^1.0.2", + "get-intrinsic": "^1.3.0" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/content-disposition": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-1.0.0.tgz", + "integrity": "sha512-Au9nRL8VNUut/XSzbQA38+M78dzP4D+eqg3gfJHMIHHYa3bg067xj1KxMUWj+VULbiZMowKngFFbKczUrNJ1mg==", + "license": "MIT", + "dependencies": { + "safe-buffer": "5.2.1" + }, + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/content-type": { + "version": "1.0.5", + "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.5.tgz", + "integrity": "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/cookie": { + "version": "0.7.2", + "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz", + "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/cookie-signature": { + "version": "1.2.2", + "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.2.2.tgz", + "integrity": "sha512-D76uU73ulSXrD1UXF4KE2TMxVVwhsnCgfAyTg9k8P6KGZjlXKrOLe4dJQKI3Bxi5wjesZoFXJWElNWBjPZMbhg==", + "license": "MIT", + "engines": { + "node": ">=6.6.0" + } + }, + "node_modules/debug": { + "version": "4.4.1", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.1.tgz", + "integrity": "sha512-KcKCqiftBJcZr++7ykoDIEwSa3XWowTfNPo92BYxjXiyYEVrUQh2aLyhxBCwww+heortUFxEJYcRzosstTEBYQ==", + "license": "MIT", + "dependencies": { + "ms": "^2.1.3" + }, + "engines": { + "node": ">=6.0" + }, + "peerDependenciesMeta": { + "supports-color": { + "optional": true + } + } + }, + "node_modules/depd": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz", + "integrity": "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/dunder-proto": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz", + "integrity": "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==", + "license": "MIT", + "dependencies": { + "call-bind-apply-helpers": "^1.0.1", + "es-errors": "^1.3.0", + "gopd": "^1.2.0" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/ee-first": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz", + "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==", + "license": "MIT" + }, + "node_modules/encodeurl": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz", + "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/es-define-property": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz", + "integrity": "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/es-errors": { + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz", + "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/es-object-atoms": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.1.1.tgz", + "integrity": "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==", + "license": "MIT", + "dependencies": { + "es-errors": "^1.3.0" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/escape-html": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz", + "integrity": "sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow==", + "license": "MIT" + }, + "node_modules/etag": { + "version": "1.8.1", + "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz", + "integrity": "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/express": { + "version": "5.1.0", + "resolved": "https://registry.npmjs.org/express/-/express-5.1.0.tgz", + "integrity": "sha512-DT9ck5YIRU+8GYzzU5kT3eHGA5iL+1Zd0EutOmTE9Dtk+Tvuzd23VBU+ec7HPNSTxXYO55gPV/hq4pSBJDjFpA==", + "license": "MIT", + "dependencies": { + "accepts": "^2.0.0", + "body-parser": "^2.2.0", + "content-disposition": "^1.0.0", + "content-type": "^1.0.5", + "cookie": "^0.7.1", + "cookie-signature": "^1.2.1", + "debug": "^4.4.0", + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "etag": "^1.8.1", + "finalhandler": "^2.1.0", + "fresh": "^2.0.0", + "http-errors": "^2.0.0", + "merge-descriptors": "^2.0.0", + "mime-types": "^3.0.0", + "on-finished": "^2.4.1", + "once": "^1.4.0", + "parseurl": "^1.3.3", + "proxy-addr": "^2.0.7", + "qs": "^6.14.0", + "range-parser": "^1.2.1", + "router": "^2.2.0", + "send": "^1.1.0", + "serve-static": "^2.2.0", + "statuses": "^2.0.1", + "type-is": "^2.0.1", + "vary": "^1.1.2" + }, + "engines": { + "node": ">= 18" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/finalhandler": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-2.1.0.tgz", + "integrity": "sha512-/t88Ty3d5JWQbWYgaOGCCYfXRwV1+be02WqYYlL6h0lEiUAMPM8o8qKGO01YIkOHzka2up08wvgYD0mDiI+q3Q==", + "license": "MIT", + "dependencies": { + "debug": "^4.4.0", + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "on-finished": "^2.4.1", + "parseurl": "^1.3.3", + "statuses": "^2.0.1" + }, + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/forwarded": { + "version": "0.2.0", + "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.2.0.tgz", + "integrity": "sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/fresh": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/fresh/-/fresh-2.0.0.tgz", + "integrity": "sha512-Rx/WycZ60HOaqLKAi6cHRKKI7zxWbJ31MhntmtwMoaTeF7XFH9hhBp8vITaMidfljRQ6eYWCKkaTK+ykVJHP2A==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/function-bind": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", + "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==", + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/get-intrinsic": { + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.3.0.tgz", + "integrity": "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==", + "license": "MIT", + "dependencies": { + "call-bind-apply-helpers": "^1.0.2", + "es-define-property": "^1.0.1", + "es-errors": "^1.3.0", + "es-object-atoms": "^1.1.1", + "function-bind": "^1.1.2", + "get-proto": "^1.0.1", + "gopd": "^1.2.0", + "has-symbols": "^1.1.0", + "hasown": "^2.0.2", + "math-intrinsics": "^1.1.0" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/get-proto": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/get-proto/-/get-proto-1.0.1.tgz", + "integrity": "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==", + "license": "MIT", + "dependencies": { + "dunder-proto": "^1.0.1", + "es-object-atoms": "^1.0.0" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/gopd": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz", + "integrity": "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/has-symbols": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.1.0.tgz", + "integrity": "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/hasown": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz", + "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==", + "license": "MIT", + "dependencies": { + "function-bind": "^1.1.2" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/http-errors": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.0.tgz", + "integrity": "sha512-FtwrG/euBzaEjYeRqOgly7G0qviiXoJWnvEH2Z1plBdXgbyjv34pHTSb9zoeHMyDy33+DWy5Wt9Wo+TURtOYSQ==", + "license": "MIT", + "dependencies": { + "depd": "2.0.0", + "inherits": "2.0.4", + "setprototypeof": "1.2.0", + "statuses": "2.0.1", + "toidentifier": "1.0.1" + }, + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/iconv-lite": { + "version": "0.6.3", + "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.6.3.tgz", + "integrity": "sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw==", + "license": "MIT", + "dependencies": { + "safer-buffer": ">= 2.1.2 < 3.0.0" + }, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/inherits": { + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", + "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==", + "license": "ISC" + }, + "node_modules/ipaddr.js": { + "version": "1.9.1", + "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz", + "integrity": "sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==", + "license": "MIT", + "engines": { + "node": ">= 0.10" + } + }, + "node_modules/is-promise": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/is-promise/-/is-promise-4.0.0.tgz", + "integrity": "sha512-hvpoI6korhJMnej285dSg6nu1+e6uxs7zG3BYAm5byqDsgJNWwxzM6z6iZiAgQR4TJ30JmBTOwqZUw3WlyH3AQ==", + "license": "MIT" + }, + "node_modules/math-intrinsics": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz", + "integrity": "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/media-typer": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-1.1.0.tgz", + "integrity": "sha512-aisnrDP4GNe06UcKFnV5bfMNPBUw4jsLGaWwWfnH3v02GnBuXX2MCVn5RbrWo0j3pczUilYblq7fQ7Nw2t5XKw==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/merge-descriptors": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-2.0.0.tgz", + "integrity": "sha512-Snk314V5ayFLhp3fkUREub6WtjBfPdCPY1Ln8/8munuLuiYhsABgBVWsozAG+MWMbVEvcdcpbi9R7ww22l9Q3g==", + "license": "MIT", + "engines": { + "node": ">=18" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/mime-db": { + "version": "1.54.0", + "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.54.0.tgz", + "integrity": "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/mime-types": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-3.0.1.tgz", + "integrity": "sha512-xRc4oEhT6eaBpU1XF7AjpOFD+xQmXNB5OVKwp4tqCuBpHLS/ZbBDrc07mYTDqVMg6PfxUjjNp85O6Cd2Z/5HWA==", + "license": "MIT", + "dependencies": { + "mime-db": "^1.54.0" + }, + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/ms": { + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", + "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==", + "license": "MIT" + }, + "node_modules/negotiator": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-1.0.0.tgz", + "integrity": "sha512-8Ofs/AUQh8MaEcrlq5xOX0CQ9ypTF5dl78mjlMNfOK08fzpgTHQRQPBxcPlEtIw0yRpws+Zo/3r+5WRby7u3Gg==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/object-inspect": { + "version": "1.13.4", + "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.4.tgz", + "integrity": "sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/on-finished": { + "version": "2.4.1", + "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.4.1.tgz", + "integrity": "sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg==", + "license": "MIT", + "dependencies": { + "ee-first": "1.1.1" + }, + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/once": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", + "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", + "license": "ISC", + "dependencies": { + "wrappy": "1" + } + }, + "node_modules/parseurl": { + "version": "1.3.3", + "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz", + "integrity": "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/path-to-regexp": { + "version": "8.2.0", + "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.2.0.tgz", + "integrity": "sha512-TdrF7fW9Rphjq4RjrW0Kp2AW0Ahwu9sRGTkS6bvDi0SCwZlEZYmcfDbEsTz8RVk0EHIS/Vd1bv3JhG+1xZuAyQ==", + "license": "MIT", + "engines": { + "node": ">=16" + } + }, + "node_modules/proxy-addr": { + "version": "2.0.7", + "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz", + "integrity": "sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg==", + "license": "MIT", + "dependencies": { + "forwarded": "0.2.0", + "ipaddr.js": "1.9.1" + }, + "engines": { + "node": ">= 0.10" + } + }, + "node_modules/qs": { + "version": "6.14.0", + "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.0.tgz", + "integrity": "sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w==", + "license": "BSD-3-Clause", + "dependencies": { + "side-channel": "^1.1.0" + }, + "engines": { + "node": ">=0.6" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/range-parser": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz", + "integrity": "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/raw-body": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-3.0.0.tgz", + "integrity": "sha512-RmkhL8CAyCRPXCE28MMH0z2PNWQBNk2Q09ZdxM9IOOXwxwZbN+qbWaatPkdkWIKL2ZVDImrN/pK5HTRz2PcS4g==", + "license": "MIT", + "dependencies": { + "bytes": "3.1.2", + "http-errors": "2.0.0", + "iconv-lite": "0.6.3", + "unpipe": "1.0.0" + }, + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/router": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/router/-/router-2.2.0.tgz", + "integrity": "sha512-nLTrUKm2UyiL7rlhapu/Zl45FwNgkZGaCpZbIHajDYgwlJCOzLSk+cIPAnsEqV955GjILJnKbdQC1nVPz+gAYQ==", + "license": "MIT", + "dependencies": { + "debug": "^4.4.0", + "depd": "^2.0.0", + "is-promise": "^4.0.0", + "parseurl": "^1.3.3", + "path-to-regexp": "^8.0.0" + }, + "engines": { + "node": ">= 18" + } + }, + "node_modules/safe-buffer": { + "version": "5.2.1", + "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz", + "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ], + "license": "MIT" + }, + "node_modules/safer-buffer": { + "version": "2.1.2", + "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", + "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==", + "license": "MIT" + }, + "node_modules/send": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/send/-/send-1.2.0.tgz", + "integrity": "sha512-uaW0WwXKpL9blXE2o0bRhoL2EGXIrZxQ2ZQ4mgcfoBxdFmQold+qWsD2jLrfZ0trjKL6vOw0j//eAwcALFjKSw==", + "license": "MIT", + "dependencies": { + "debug": "^4.3.5", + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "etag": "^1.8.1", + "fresh": "^2.0.0", + "http-errors": "^2.0.0", + "mime-types": "^3.0.1", + "ms": "^2.1.3", + "on-finished": "^2.4.1", + "range-parser": "^1.2.1", + "statuses": "^2.0.1" + }, + "engines": { + "node": ">= 18" + } + }, + "node_modules/serve-static": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-2.2.0.tgz", + "integrity": "sha512-61g9pCh0Vnh7IutZjtLGGpTA355+OPn2TyDv/6ivP2h/AdAVX9azsoxmg2/M6nZeQZNYBEwIcsne1mJd9oQItQ==", + "license": "MIT", + "dependencies": { + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "parseurl": "^1.3.3", + "send": "^1.2.0" + }, + "engines": { + "node": ">= 18" + } + }, + "node_modules/setprototypeof": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.2.0.tgz", + "integrity": "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==", + "license": "ISC" + }, + "node_modules/side-channel": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.1.0.tgz", + "integrity": "sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw==", + "license": "MIT", + "dependencies": { + "es-errors": "^1.3.0", + "object-inspect": "^1.13.3", + "side-channel-list": "^1.0.0", + "side-channel-map": "^1.0.1", + "side-channel-weakmap": "^1.0.2" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/side-channel-list": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/side-channel-list/-/side-channel-list-1.0.0.tgz", + "integrity": "sha512-FCLHtRD/gnpCiCHEiJLOwdmFP+wzCmDEkc9y7NsYxeF4u7Btsn1ZuwgwJGxImImHicJArLP4R0yX4c2KCrMrTA==", + "license": "MIT", + "dependencies": { + "es-errors": "^1.3.0", + "object-inspect": "^1.13.3" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/side-channel-map": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/side-channel-map/-/side-channel-map-1.0.1.tgz", + "integrity": "sha512-VCjCNfgMsby3tTdo02nbjtM/ewra6jPHmpThenkTYh8pG9ucZ/1P8So4u4FGBek/BjpOVsDCMoLA/iuBKIFXRA==", + "license": "MIT", + "dependencies": { + "call-bound": "^1.0.2", + "es-errors": "^1.3.0", + "get-intrinsic": "^1.2.5", + "object-inspect": "^1.13.3" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/side-channel-weakmap": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/side-channel-weakmap/-/side-channel-weakmap-1.0.2.tgz", + "integrity": "sha512-WPS/HvHQTYnHisLo9McqBHOJk2FkHO/tlpvldyrnem4aeQp4hai3gythswg6p01oSoTl58rcpiFAjF2br2Ak2A==", + "license": "MIT", + "dependencies": { + "call-bound": "^1.0.2", + "es-errors": "^1.3.0", + "get-intrinsic": "^1.2.5", + "object-inspect": "^1.13.3", + "side-channel-map": "^1.0.1" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/statuses": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.1.tgz", + "integrity": "sha512-RwNA9Z/7PrK06rYLIzFMlaF+l73iwpzsqRIFgbMLbTcLD6cOao82TaWefPXQvB2fOC4AjuYSEndS7N/mTCbkdQ==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/toidentifier": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.1.tgz", + "integrity": "sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA==", + "license": "MIT", + "engines": { + "node": ">=0.6" + } + }, + "node_modules/type-is": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/type-is/-/type-is-2.0.1.tgz", + "integrity": "sha512-OZs6gsjF4vMp32qrCbiVSkrFmXtG/AZhY3t0iAMrMBiAZyV9oALtXO8hsrHbMXF9x6L3grlFuwW2oAz7cav+Gw==", + "license": "MIT", + "dependencies": { + "content-type": "^1.0.5", + "media-typer": "^1.1.0", + "mime-types": "^3.0.0" + }, + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/unpipe": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz", + "integrity": "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/vary": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz", + "integrity": "sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/wrappy": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", + "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==", + "license": "ISC" + } + } +} diff --git a/playground/csrf/package.json b/playground/csrf/package.json new file mode 100644 index 0000000..b1dd086 --- /dev/null +++ b/playground/csrf/package.json @@ -0,0 +1,14 @@ +{ + "name": "csrf", + "version": "1.0.0", + "main": "index.js", + "scripts": { + "test": "echo \"Error: no test specified\" && exit 1" + }, + "author": "", + "license": "ISC", + "description": "", + "dependencies": { + "express": "^5.1.0" + } +} From f775282e91503025d73b41799e7b4e04e31485aa Mon Sep 17 00:00:00 2001 From: "tv0924@icloud.com" Date: Wed, 28 May 2025 15:01:53 +0900 Subject: [PATCH 10/20] [Add] csrf --- packages/backend/src/index.ts | 62 ++++++++++------------------------- pnpm-lock.yaml | 16 +++++++++ 2 files changed, 34 insertions(+), 44 deletions(-) diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts index 8a8ca26..3d76481 100644 --- a/packages/backend/src/index.ts +++ b/packages/backend/src/index.ts @@ -1,41 +1,13 @@ import type { SDK, DefineAPI } from "caido:plugin"; -import type { Request } from "caido:utils"; -<<<<<<< HEAD -import { ImplicitGrantController } from "./controller/implictGrant"; -import { AuthZCodeGrantController } from "./controller/authZCodeGrant"; -import { PKCECheck } from "./controller/PKCECheck"; - -export type API = DefineAPI<{}>; - -const implicitGrantController = new ImplicitGrantController(); -const authZCodeGrantController = new AuthZCodeGrantController(); -const pkceCheck = new PKCECheck(); - -// function matchSSORequest(req: Request): boolean { -// const raw = req.getRaw().toString(); - -// // 조건 3: Raw request에 SAMLRequest 또는 SAMLResponse 포함 -// if (raw.includes("SAMLRequest=") || raw.includes("SAMLResponse=")) { -// return true; -// } - -// return false; -// } - -// function matchAccessTokenResponse(resp: Response): boolean { -// const raw = resp.getRaw().toString(); - -// const match = /"access_token"\s*:\s*"([^"]+)"/.exec(raw); -// return !!match; -// } -======= +import type { Request, Response } from "caido:utils"; // import { ImplicitGrantController } from "./controller/implictGrant"; // import { AuthZCodeGrantController } from "./controller/authZCodeGrant"; import { CsrfCheck } from "./controller/csrfCheck"; +import { PKCECheck } from "./controller/PKCECheck"; export type API = DefineAPI<{}>; const csrfCheck = new CsrfCheck(); ->>>>>>> 8de17eb (csrf(state) 관련 취약점 탐지 기능 추가) +const pkceCheck = new PKCECheck(); export function init(sdk: SDK) { // sdk.events.onInterceptRequest(async (sdk, req: Request) => { @@ -51,21 +23,23 @@ export function init(sdk: SDK) { // } // }); - sdk.events.onInterceptResponse(async (sdk, req: Request, resp) => { - const funcList = [csrfCheck.checker(sdk, req, resp)]; + sdk.events.onInterceptResponse( + async (sdk: SDK, {}>, req: Request, resp: Response) => { + const funcList: Promise[] = [ + csrfCheck.checker(sdk, req, resp), + ]; - let result = await Promise.all(funcList); + let result = await Promise.all(funcList); + if (result) { + await sdk.findings.create({ + title: "Possible SSO Response Detected", + description: `SSO-related parameters detected in response:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`, + request: req, + reporter: "", + }); + } - if (result) { await pkceCheck.test(sdk, req); - - await sdk.findings.create({ - title: "Possible SSO Response Detected", - description: `SSO-related parameters detected in response:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`, - request: req, - reporter: "", - }); } - - }); + ); } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 67de64e..83609d4 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -11,6 +11,9 @@ importers: '@caido-community/dev': specifier: ^0.1.3 version: 0.1.5(postcss@8.5.3)(typescript@5.5.4) + '@caido/sdk-backend': + specifier: ^0.48.1 + version: 0.48.1 typescript: specifier: 5.5.4 version: 5.5.4 @@ -34,9 +37,15 @@ packages: '@caido/quickjs-types@0.17.2': resolution: {integrity: sha512-5kcucGORMNEbcdU91yKLYZG/TFDqsO6XmCZ1TnU6V48E61mmqrJg6kjrfOFP1WOugDm+ZcGd/Su3p3XkFXfaPg==} + '@caido/quickjs-types@0.18.0': + resolution: {integrity: sha512-hRXUVdDvlhEhvkBoWWytoVS2j1KDVZa8dx2Q/KvWUQTR57U8EMSYE9iFgvPhu78gS8z+RF42Zcb7moNx4SDMlw==} + '@caido/sdk-backend@0.46.0': resolution: {integrity: sha512-peUKW/4Nrw9WVxIahc+6KrVtxA7vsbpuJqOoBxudxq7tQJ+cV9IEqzvYoFFo8KlnrTkeUQUJvd0W4WsM3HgxEg==} + '@caido/sdk-backend@0.48.1': + resolution: {integrity: sha512-JvFeOlSqAKbj3OenBn0LPtCNaOV0x6YtaAQijpvYfBJK32Nvbf924Z10bFVCu+Clc5A1qr7HcAvJ/8B/aRikWA==} + '@caido/sdk-shared@0.1.1': resolution: {integrity: sha512-JAV5ajUqxZdXYPTmDEvIKBZon8I5uHq44ATj0Nj3BVpllRDUGY9kcBd+PXMD50+3lv1CvhR3/f6q24T0+4aVJQ==} @@ -1095,11 +1104,18 @@ snapshots: '@caido/quickjs-types@0.17.2': {} + '@caido/quickjs-types@0.18.0': {} + '@caido/sdk-backend@0.46.0': dependencies: '@caido/quickjs-types': 0.17.2 '@caido/sdk-shared': 0.1.1 + '@caido/sdk-backend@0.48.1': + dependencies: + '@caido/quickjs-types': 0.18.0 + '@caido/sdk-shared': 0.1.1 + '@caido/sdk-shared@0.1.1': {} '@esbuild/aix-ppc64@0.24.2': From ef1d8f40b35b2e397c55a4a0ee556b3f6e1dc989 Mon Sep 17 00:00:00 2001 From: "tv0924@icloud.com" Date: Wed, 28 May 2025 16:49:48 +0900 Subject: [PATCH 11/20] [Update] feature --- dist/plugin_package.zip | Bin 11096 -> 15097 bytes packages/backend/src/controller/csrfCheck.ts | 11 +- packages/backend/src/index.ts | 15 +- packages/backend/src/utils/http.ts | 49 ++- playground/csrf/index.js | 65 ++++ playground/csrf/package-lock.json | 351 +++++++++++++++++++ playground/csrf/package.json | 9 +- 7 files changed, 464 insertions(+), 36 deletions(-) diff --git a/dist/plugin_package.zip b/dist/plugin_package.zip index a321b3b7a1ce78282a403d57a664b8d3f0a1ed8b..b24f0ab51b884d0bd98f2c5fc67f6a3aa4974095 100644 GIT binary patch delta 4264 zcmcZ+_Op~Hz?+$civa}I+D_zAVOndu(MXrEJ~YTv;q{a$Z}v`kJ!PfB+u1D&Z`yiZ zui5ct-h|f+=P111-0*hhjJH!~yzZK!@OJu|x4nB5-cDWdreg+|f`WpUf>ka(~-B4$|o-hYV zD@dn4mx4k{YI1%`s$*V?Pkwo7kp|c)nhMn*_bHSVRYF+`3J^P>%0q)Zo%3@G@&ocx z^Gcw4^h)xK4qte2CTmtK;gV5eZ9pr!^9i#CW=utzYhAiBZf2l5V|f`S5)*^>+S zG$zOK@zjGH1h-Pr7Gf!~n-oyu4`d3CSOiBR%qVa$LKG_~pvNCX9Gnys^Wctx#5F{& z7VK^iyLR(LzK`OZiRFozB?`qU*^}?6D|03n7o{nbmFDD4meuf)E=?^i(MwM)@l7qs z$WPJGtW{8{E=nx~2~V!k(9qF=8&;HBkY7}iT4bf51U3T3SAwdj)ttOWO=EJbICp)3 zx3jBrMrv}lUP&=mW-dsdLbXC#YDsd2jzSQ`bcMuX1viigj9;seR+OKspp=}LnUZgn zQBqQ%WX)BUSfl_qO~FaSpC`E%@;gVmTmtK^Zk_z@* ztb$*Di9(`+yK4x@3Q&;gDFkO{7H||~=B4W?X}!<1<~=z8HqWdWSa_B zh$<8h@rA8YEW%@osFvxamZjDgRcdH}%Q{U3TRVlq($u0#z0ADioYIukVyFaCUMo(? zCL#bpaR>4fIF1y+rl*#q78NVxW)>HN0s$Nz;NW0}h6glqN{ez3F%w#p11qjTfnK7J zS?phsn&;`FV2kchrQ+oLf>hi5g4Dds6eUfCni>ohnJMul`Pr#?O3-`+F%l9=zKQjq z!VqR`E~seK(8nI28qslTv09q?D8|5J!WX0!?mnyr*`k>MN^*+zFo%HLQB$L!h-xCK zNf6cP3i(9}5c9Fb03Ifz8iQ4s;Gz~H4UWTT!&qnxgW?Aw0oG@0tDsbnlbD%DQn}!ioE@ux8Y|Eos*qW% zpbj=r9a2t!^93YUFd`+Hm`H&X+DPW&jS~#jpeP9gm20pxlUb}#oLZt#k`Hqy!DvW< zm5AUPCABCqDKjUtq!K+g;L1`0LFEoS+Z3f1v;G45((WucM%(q^XBPu`Lc& z(e`SwD)kV(kdhHn5Fp$V3NC{Zz!e^-f&dpodc_4fnI#%ZR{Hu%n$ZTawO0E2a1|c; z#U&b=wN`L}fczqm0D_-blA)nlYp+rbv8FyTB^Bc5+60IrkQ;Om2Spd97W)@vrf23Q z=78$4Vt6%^602aV0LiNXMftgz#i@FUIXN29&>B|(Ql)C-rIw>qr5dG0IXVi}pjfTX z$WO6S09S4bwVIlU+8kUNW9o#s8sz9uxEZKMK<$R*83hHXCzA40DiOW_@j%|F2UnK_ z{ect$dL^k9B^pRBElNcS5U4B;M--PNmXsE|7M6muJ;=~{Xt?S@q`*x_R0AOrkhp<) z29$k0^PKWaG8AkTKwg1)3{hb!fz;S4X@Z)NAQd3bLi~!NramRr7Lmh21q{SKh#S?^ zz$FF5Dn!W-b4E#KNlvPQEuuCAmCw#Wo*|yjjy_n*XoMR;SvUYxbk&1G6H+Q5X+$rr zv1kPAgM|vrK}D%)sYR)I$>@#(HP(u)^z|XNvR+N8 z`9%tFxDmcc2DP^p(h@UsP<#S%TX0EHW?nkjz}f_;tq{v##@c|)#n;Y-Gy)K|!NLsO z$`zCrpX?|uGx>^|mISE5UXYy(X(5BUVX2S?#N@AP_N?G+JK02CkwXDmtW8c=S4xG& zASC|ay7gd3@NuG9)hzk*9aAu}(tgsaw?E5MtbBkuT%T^1G$3?K{{ zG2mceU|4IrnO$=RBhy;j$qThi_}1F)i9#rx{8-Dt6(pn?8q^!h$iM)?yr6*wIG$s{ jz>u4mmzf6YE@c(x=LLAPvVmlo8JHQ?GcYiiSb=x|DY}2~ delta 557 zcmexadLxV{z?+$civa{)YfR)(VS25x(MXqZ^IoPBM%JRla_`j1j9j9VQ~5K&=RG-IM2E8^ zu_!&YL{p)9avZ+_YidbpQQqX~{BpjEwzdjo`I#vS1`29w3T25orK!;dv3fbFdFdq? z3U&$x3ifbO1uKQT(wrP?E(Iv4g|mtvCcfp@*nC3ZmAE8?uTYd)T$)n?(NL?9np2!Q z`J9~e, {}>, request: Request, response: Response - ): Promise { + ): Promise { let result = ``; // 쿼리에 state 파라미터가 없으면 CSRF 위험 @@ -170,9 +170,12 @@ export class CsrfCheck { // } if (result) { - return result; // CSRF risk detected - } else { - return 0; // No CSRF risk detected + await sdk.findings.create({ + title: "csrf vuln", + description: `SSO-related parameters detected in response:\n\n${request.getMethod()} ${request.getUrl()} : ${result}`, + request, + reporter: "csrf reporter", + }); } } } diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts index 3d76481..dc44468 100644 --- a/packages/backend/src/index.ts +++ b/packages/backend/src/index.ts @@ -25,20 +25,7 @@ export function init(sdk: SDK) { sdk.events.onInterceptResponse( async (sdk: SDK, {}>, req: Request, resp: Response) => { - const funcList: Promise[] = [ - csrfCheck.checker(sdk, req, resp), - ]; - - let result = await Promise.all(funcList); - if (result) { - await sdk.findings.create({ - title: "Possible SSO Response Detected", - description: `SSO-related parameters detected in response:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`, - request: req, - reporter: "", - }); - } - + await csrfCheck.checker(sdk, req, resp); await pkceCheck.test(sdk, req); } ); diff --git a/packages/backend/src/utils/http.ts b/packages/backend/src/utils/http.ts index 91a6527..56a6fe1 100644 --- a/packages/backend/src/utils/http.ts +++ b/packages/backend/src/utils/http.ts @@ -11,6 +11,19 @@ export class HttpUtils { return instance; } + /** + * URI 디코딩 후 소문자로 변환하는 헬퍼 함수 + * @param value - 디코딩하고 소문자로 변환할 문자열 + * @returns 디코딩 및 소문자 변환된 문자열 + */ + decodeAndLower(value: string): string { + try { + return decodeURIComponent(value).toLowerCase(); + } catch { + return value.toLowerCase(); + } + } + /** * 헤더 객체의 키와 값을 전부 소문자로 변환합니다. * @param headers - Record 형태의 헤더 맵 @@ -22,14 +35,12 @@ export class HttpUtils { const result: Record = {}; for (const [rawKey, rawValue] of Object.entries(headers)) { - const key = rawKey.toLowerCase(); + const key = this.decodeAndLower(rawKey); if (Array.isArray(rawValue)) { - // 배열이면 각 요소를 소문자로 - result[key] = rawValue.map((v) => v.toLowerCase()); + result[key] = rawValue.map((v) => this.decodeAndLower(v)); } else { - // 단일 문자열이면 바로 소문자로 - result[key] = rawValue.toLowerCase(); + result[key] = this.decodeAndLower(rawValue); } } @@ -107,23 +118,29 @@ export class HttpUtils { headers: Record, name: string ): string | null { - headers = this.lowerCaseAllHeaders(headers); + const normalized = this.lowerCaseAllHeaders(headers); const target = name.toLowerCase(); - for (const [key, value] of Object.entries(headers)) { - if (key.toLowerCase() === target) { + for (const [key, value] of Object.entries(normalized)) { + if (key === target) { + let rawValue: string | null = null; + if (Array.isArray(value)) { - // 배열 형태일 때 첫 번째 요소가 비어있을 수도 있으니 안전하게 처리 - return value.length > 0 && - value[0] !== undefined && - value[0].length > 0 - ? value[0] - : null; + rawValue = value.length > 0 && value[0] ? value[0] : null; + } else { + rawValue = value.length > 0 ? value : null; + } + + if (rawValue !== null) { + try { + return decodeURIComponent(rawValue); + } catch { + return rawValue; + } } - // 문자열일 때 - return value.length > 0 ? value : null; } } + return null; } diff --git a/playground/csrf/index.js b/playground/csrf/index.js index e69de29..5c7a733 100644 --- a/playground/csrf/index.js +++ b/playground/csrf/index.js @@ -0,0 +1,65 @@ +// app.js +const express = require("express"); +const app = express(); +const port = 8000; + +// 콜백 엔드포인트 (정상 동작 시뮬레이션) +app.get("/callback", (req, res) => { + res.send(` +

Callback Received

+

Query Params:

+ 
${JSON.stringify(req.query, null, 2)}
+ `); +}); + +/** + * 1) state 파라미터를 무시하는 취약한 /authorize 엔드포인트 + * - 클라이언트가 state를 보내도 무시 + * - 리디렉트 시 state를 포함하지 않음 + */ +app.get("/authorize/no-state", (req, res) => { + const clientId = req.query.client_id || "unknown-client"; + const redirectUri = encodeURIComponent( + req.query.redirect_uri || `http://localhost:${port}/callback` + ); + const code = "authcode-12345"; + + // state를 전혀 포함하지 않은 채로 리디렉트 + const location = `${redirectUri}?code=${code}&client_id=${clientId}`; + res.set("Location", location); + res.status(302).send(`Redirecting to ${location}`); +}); + +/** + * 2) 클라이언트가 보낸 state와 다른 값을 넣는 취약한 /authorize 엔드포인트 + * - 클라이언트가 보낸 state를 로그로 확인만 하고, + * 응답 Location에는 'wrong-state'를 삽입 + */ +app.get("/authorize/mismatch-state", (req, res) => { + const clientId = req.query.client_id || "unknown-client"; + const originalState = req.query.state; + const redirectUri = encodeURIComponent( + req.query.redirect_uri || `http://localhost:${port}/callback` + ); + const code = "authcode-67890"; + + console.log(`[VULN] original state from client:`, originalState); + + // 클라이언트 state와 다르게 'wrong-state'를 삽입 + const wrongState = "wrong-state"; + const location = `${redirectUri}?code=${code}&state=${wrongState}&client_id=${clientId}`; + res.set("Location", location); + res.status(302).send(`Redirecting to ${location}`); +}); + +app.listen(port, () => { + console.log( + `Vulnerable OAuth test server listening at http://localhost:${port}` + ); + console.log( + `1) No-State: http://localhost:${port}/authorize/no-state?client_id=abc&redirect_uri=http://localhost:${port}/callback` + ); + console.log( + `2) Mismatch-State: http://localhost:${port}/authorize/mismatch-state?client_id=abc&state=xyz&redirect_uri=http://localhost:${port}/callback` + ); +}); diff --git a/playground/csrf/package-lock.json b/playground/csrf/package-lock.json index c676398..f924d15 100644 --- a/playground/csrf/package-lock.json +++ b/playground/csrf/package-lock.json @@ -10,6 +10,9 @@ "license": "ISC", "dependencies": { "express": "^5.1.0" + }, + "devDependencies": { + "nodemon": "^3.1.10" } }, "node_modules/accepts": { @@ -25,6 +28,40 @@ "node": ">= 0.6" } }, + "node_modules/anymatch": { + "version": "3.1.3", + "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.3.tgz", + "integrity": "sha512-KMReFUr0B4t+D+OBkjR3KYqvocp2XaSzO55UcB6mgQMd3KbcE+mWTyvVV7D/zsdEbNnV6acZUutkiHQXvTr1Rw==", + "dev": true, + "license": "ISC", + "dependencies": { + "normalize-path": "^3.0.0", + "picomatch": "^2.0.4" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/balanced-match": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", + "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==", + "dev": true, + "license": "MIT" + }, + "node_modules/binary-extensions": { + "version": "2.3.0", + "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.3.0.tgz", + "integrity": "sha512-Ceh+7ox5qe7LJuLHoY0feh3pHuUDHAcRUeyL2VYghZwfpkNIy/+8Ocg0a3UuSoYzavmylwuLWQOf3hl0jjMMIw==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=8" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, "node_modules/body-parser": { "version": "2.2.0", "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-2.2.0.tgz", @@ -45,6 +82,30 @@ "node": ">=18" } }, + "node_modules/brace-expansion": { + "version": "1.1.11", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", + "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", + "dev": true, + "license": "MIT", + "dependencies": { + "balanced-match": "^1.0.0", + "concat-map": "0.0.1" + } + }, + "node_modules/braces": { + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz", + "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==", + "dev": true, + "license": "MIT", + "dependencies": { + "fill-range": "^7.1.1" + }, + "engines": { + "node": ">=8" + } + }, "node_modules/bytes": { "version": "3.1.2", "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz", @@ -83,6 +144,38 @@ "url": "https://github.com/sponsors/ljharb" } }, + "node_modules/chokidar": { + "version": "3.6.0", + "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-3.6.0.tgz", + "integrity": "sha512-7VT13fmjotKpGipCW9JEQAusEPE+Ei8nl6/g4FBAmIm0GOOLMua9NDDo/DWp0ZAxCr3cPq5ZpBqmPAQgDda2Pw==", + "dev": true, + "license": "MIT", + "dependencies": { + "anymatch": "~3.1.2", + "braces": "~3.0.2", + "glob-parent": "~5.1.2", + "is-binary-path": "~2.1.0", + "is-glob": "~4.0.1", + "normalize-path": "~3.0.0", + "readdirp": "~3.6.0" + }, + "engines": { + "node": ">= 8.10.0" + }, + "funding": { + "url": "https://paulmillr.com/funding/" + }, + "optionalDependencies": { + "fsevents": "~2.3.2" + } + }, + "node_modules/concat-map": { + "version": "0.0.1", + "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", + "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==", + "dev": true, + "license": "MIT" + }, "node_modules/content-disposition": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-1.0.0.tgz", @@ -264,6 +357,19 @@ "url": "https://opencollective.com/express" } }, + "node_modules/fill-range": { + "version": "7.1.1", + "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz", + "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==", + "dev": true, + "license": "MIT", + "dependencies": { + "to-regex-range": "^5.0.1" + }, + "engines": { + "node": ">=8" + } + }, "node_modules/finalhandler": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-2.1.0.tgz", @@ -299,6 +405,21 @@ "node": ">= 0.8" } }, + "node_modules/fsevents": { + "version": "2.3.3", + "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz", + "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==", + "dev": true, + "hasInstallScript": true, + "license": "MIT", + "optional": true, + "os": [ + "darwin" + ], + "engines": { + "node": "^8.16.0 || ^10.6.0 || >=11.0.0" + } + }, "node_modules/function-bind": { "version": "1.1.2", "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", @@ -345,6 +466,19 @@ "node": ">= 0.4" } }, + "node_modules/glob-parent": { + "version": "5.1.2", + "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz", + "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==", + "dev": true, + "license": "ISC", + "dependencies": { + "is-glob": "^4.0.1" + }, + "engines": { + "node": ">= 6" + } + }, "node_modules/gopd": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz", @@ -357,6 +491,16 @@ "url": "https://github.com/sponsors/ljharb" } }, + "node_modules/has-flag": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-3.0.0.tgz", + "integrity": "sha512-sKJf1+ceQBr4SMkvQnBDNDtf4TXpVhVGateu0t918bl30FnbE2m4vNLX+VWe/dpjlb+HugGYzW7uQXH98HPEYw==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=4" + } + }, "node_modules/has-symbols": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.1.0.tgz", @@ -409,6 +553,13 @@ "node": ">=0.10.0" } }, + "node_modules/ignore-by-default": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/ignore-by-default/-/ignore-by-default-1.0.1.tgz", + "integrity": "sha512-Ius2VYcGNk7T90CppJqcIkS5ooHUZyIQK+ClZfMfMNFEF9VSE73Fq+906u/CWu92x4gzZMWOwfFYckPObzdEbA==", + "dev": true, + "license": "ISC" + }, "node_modules/inherits": { "version": "2.0.4", "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", @@ -424,6 +575,52 @@ "node": ">= 0.10" } }, + "node_modules/is-binary-path": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/is-binary-path/-/is-binary-path-2.1.0.tgz", + "integrity": "sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw==", + "dev": true, + "license": "MIT", + "dependencies": { + "binary-extensions": "^2.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/is-extglob": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz", + "integrity": "sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/is-glob": { + "version": "4.0.3", + "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.3.tgz", + "integrity": "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==", + "dev": true, + "license": "MIT", + "dependencies": { + "is-extglob": "^2.1.1" + }, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/is-number": { + "version": "7.0.0", + "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz", + "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=0.12.0" + } + }, "node_modules/is-promise": { "version": "4.0.0", "resolved": "https://registry.npmjs.org/is-promise/-/is-promise-4.0.0.tgz", @@ -481,6 +678,19 @@ "node": ">= 0.6" } }, + "node_modules/minimatch": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", + "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", + "dev": true, + "license": "ISC", + "dependencies": { + "brace-expansion": "^1.1.7" + }, + "engines": { + "node": "*" + } + }, "node_modules/ms": { "version": "2.1.3", "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", @@ -496,6 +706,45 @@ "node": ">= 0.6" } }, + "node_modules/nodemon": { + "version": "3.1.10", + "resolved": "https://registry.npmjs.org/nodemon/-/nodemon-3.1.10.tgz", + "integrity": "sha512-WDjw3pJ0/0jMFmyNDp3gvY2YizjLmmOUQo6DEBY+JgdvW/yQ9mEeSw6H5ythl5Ny2ytb7f9C2nIbjSxMNzbJXw==", + "dev": true, + "license": "MIT", + "dependencies": { + "chokidar": "^3.5.2", + "debug": "^4", + "ignore-by-default": "^1.0.1", + "minimatch": "^3.1.2", + "pstree.remy": "^1.1.8", + "semver": "^7.5.3", + "simple-update-notifier": "^2.0.0", + "supports-color": "^5.5.0", + "touch": "^3.1.0", + "undefsafe": "^2.0.5" + }, + "bin": { + "nodemon": "bin/nodemon.js" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/nodemon" + } + }, + "node_modules/normalize-path": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz", + "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, "node_modules/object-inspect": { "version": "1.13.4", "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.4.tgz", @@ -547,6 +796,19 @@ "node": ">=16" } }, + "node_modules/picomatch": { + "version": "2.3.1", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz", + "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=8.6" + }, + "funding": { + "url": "https://github.com/sponsors/jonschlinkert" + } + }, "node_modules/proxy-addr": { "version": "2.0.7", "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz", @@ -560,6 +822,13 @@ "node": ">= 0.10" } }, + "node_modules/pstree.remy": { + "version": "1.1.8", + "resolved": "https://registry.npmjs.org/pstree.remy/-/pstree.remy-1.1.8.tgz", + "integrity": "sha512-77DZwxQmxKnu3aR542U+X8FypNzbfJ+C5XQDk3uWjWxn6151aIMGthWYRXTqT1E5oJvg+ljaa2OJi+VfvCOQ8w==", + "dev": true, + "license": "MIT" + }, "node_modules/qs": { "version": "6.14.0", "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.0.tgz", @@ -599,6 +868,19 @@ "node": ">= 0.8" } }, + "node_modules/readdirp": { + "version": "3.6.0", + "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-3.6.0.tgz", + "integrity": "sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==", + "dev": true, + "license": "MIT", + "dependencies": { + "picomatch": "^2.2.1" + }, + "engines": { + "node": ">=8.10.0" + } + }, "node_modules/router": { "version": "2.2.0", "resolved": "https://registry.npmjs.org/router/-/router-2.2.0.tgz", @@ -641,6 +923,19 @@ "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==", "license": "MIT" }, + "node_modules/semver": { + "version": "7.7.2", + "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.2.tgz", + "integrity": "sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA==", + "dev": true, + "license": "ISC", + "bin": { + "semver": "bin/semver.js" + }, + "engines": { + "node": ">=10" + } + }, "node_modules/send": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/send/-/send-1.2.0.tgz", @@ -756,6 +1051,19 @@ "url": "https://github.com/sponsors/ljharb" } }, + "node_modules/simple-update-notifier": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/simple-update-notifier/-/simple-update-notifier-2.0.0.tgz", + "integrity": "sha512-a2B9Y0KlNXl9u/vsW6sTIu9vGEpfKu2wRV6l1H3XEas/0gUIzGzBoP/IouTcUQbm9JWZLH3COxyn03TYlFax6w==", + "dev": true, + "license": "MIT", + "dependencies": { + "semver": "^7.5.3" + }, + "engines": { + "node": ">=10" + } + }, "node_modules/statuses": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.1.tgz", @@ -765,6 +1073,32 @@ "node": ">= 0.8" } }, + "node_modules/supports-color": { + "version": "5.5.0", + "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz", + "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==", + "dev": true, + "license": "MIT", + "dependencies": { + "has-flag": "^3.0.0" + }, + "engines": { + "node": ">=4" + } + }, + "node_modules/to-regex-range": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz", + "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "is-number": "^7.0.0" + }, + "engines": { + "node": ">=8.0" + } + }, "node_modules/toidentifier": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.1.tgz", @@ -774,6 +1108,16 @@ "node": ">=0.6" } }, + "node_modules/touch": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/touch/-/touch-3.1.1.tgz", + "integrity": "sha512-r0eojU4bI8MnHr8c5bNo7lJDdI2qXlWWJk6a9EAFG7vbhTjElYhBVS3/miuE0uOuoLdb8Mc/rVfsmm6eo5o9GA==", + "dev": true, + "license": "ISC", + "bin": { + "nodetouch": "bin/nodetouch.js" + } + }, "node_modules/type-is": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/type-is/-/type-is-2.0.1.tgz", @@ -788,6 +1132,13 @@ "node": ">= 0.6" } }, + "node_modules/undefsafe": { + "version": "2.0.5", + "resolved": "https://registry.npmjs.org/undefsafe/-/undefsafe-2.0.5.tgz", + "integrity": "sha512-WxONCrssBM8TSPRqN5EmsjVrsv4A8X12J4ArBiiayv3DyyG3ZlIg6yysuuSYdZsVz3TKcTg2fd//Ujd4CHV1iA==", + "dev": true, + "license": "MIT" + }, "node_modules/unpipe": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz", diff --git a/playground/csrf/package.json b/playground/csrf/package.json index b1dd086..9c6b2a7 100644 --- a/playground/csrf/package.json +++ b/playground/csrf/package.json @@ -3,12 +3,17 @@ "version": "1.0.0", "main": "index.js", "scripts": { - "test": "echo \"Error: no test specified\" && exit 1" + "test": "echo \"Error: no test specified\" && exit 1", + "start": "nodemon index.js" }, "author": "", "license": "ISC", - "description": "", "dependencies": { "express": "^5.1.0" + }, + "keywords": [], + "description": "", + "devDependencies": { + "nodemon": "^3.1.10" } } From b64c8cc4e42e97e4441a6088d0592944ac380040 Mon Sep 17 00:00:00 2001 From: imnyang Date: Wed, 28 May 2025 23:28:31 +0900 Subject: [PATCH 12/20] =?UTF-8?q?[Add]=20PKCE=20=EC=99=84?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- packages/backend/src/controller/PKCECheck.ts | 81 ++++++++++++++++---- playground/PKCEDowngrade/.env.example | 2 + 2 files changed, 66 insertions(+), 17 deletions(-) create mode 100644 playground/PKCEDowngrade/.env.example diff --git a/packages/backend/src/controller/PKCECheck.ts b/packages/backend/src/controller/PKCECheck.ts index 1d3525d..8fc5671 100644 --- a/packages/backend/src/controller/PKCECheck.ts +++ b/packages/backend/src/controller/PKCECheck.ts @@ -1,6 +1,5 @@ import type { SDK } from "caido:plugin"; -import type { Request } from "caido:utils"; -import { fetch, Request as FetchRequest } from "caido:http"; +import { Body, RequestSpec, type Request } from "caido:utils"; export class PKCECheck { async test(sdk: SDK, req: Request): Promise { @@ -32,7 +31,7 @@ export class PKCECheck { : "[WARN] OAuth2 Flow PKCE Parameters Missing", description: `PKCE parameters are missing or incomplete for ${url}. This may indicate a misconfiguration.`, request: req, - reporter: "", + reporter: "PKCE Checker", }); return false; } @@ -45,7 +44,7 @@ export class PKCECheck { : "[WARN] OAuth2 Flow PKCE Method is 'plain'", description: `PKCE method is set to 'plain' for ${url}. This may indicate a downgrade vulnerability.`, request: req, - reporter: "", + reporter: "PKCE Checker", }); return false; } @@ -54,23 +53,71 @@ export class PKCECheck { searchParams.delete("code_challenge"); searchParams.delete("code_challenge_method"); const downgradedQuery = searchParams.toString(); - const downgradedUrl = `${req.getUrl().split("://")[0]}://${req.getHost()}:${req.getPort()}${req.getPath()}?${downgradedQuery}`; + const scheme = req.getUrl().startsWith("https") ? "https" : "http"; + const downgradedUrl = `${scheme}://${req.getHost()}:${req.getPort()}${req.getPath()}?${downgradedQuery}`; + + sdk.console.log(`${req.getHost()} Original URL: ` + url); + sdk.console.log(`${req.getHost()} Downgraded URL: ` + downgradedUrl); try { - const [resOriginal, resDowngraded] = await Promise.all([ - fetch(new FetchRequest(url, { method: "GET" })), - fetch(new FetchRequest(downgradedUrl, { method: "GET" })), - ]); + // Use Caido Replay SDK to replay the original request + const spec = new RequestSpec(downgradedUrl); + spec.setBody(req.getBody() as Body); + for (const [key, value] of Object.entries(req.getHeaders())) { + if (Array.isArray(value)) { + spec.setHeader(key, value.join(', ')); // or another suitable delimiter + } else { + spec.setHeader(key, value); + } + } + spec.setHost(req.getHost()); + spec.setMethod(req.getMethod()); + spec.setPath(req.getPath()); + spec.setQuery(downgradedQuery); + spec.setTls(req.getTls()); + spec.setPort(req.getPort()); - const [bodyOriginal, bodyDowngraded] = await Promise.all([ - resOriginal.text(), - resDowngraded.text(), - ]); + let sendDowngradedRequest = await sdk.requests.send(spec); + + if (sendDowngradedRequest.response) { + let domain = spec.getHost(); + let port = spec.getPort(); + let path = spec.getPath(); + let query = spec.getQuery(); + let id = sendDowngradedRequest.response.getId(); + let code = sendDowngradedRequest.response.getCode(); + sdk.console.log(`REQ ${id}: ${domain}:${port}${path}${query} received a status code of ${code}`); + } + + if (sendDowngradedRequest.response?.getCode() === 302) { + await sdk.findings.create({ + title: isOpenID + ? "[CRITICAL] OpenID Flow PKCE Downgrade Vulnerability" + : "[CRITICAL] OAuth2 Flow PKCE Downgrade Vulnerability", + description: `The request to ${url} is vulnerable to a PKCE downgrade attack. This may indicate a configuration error.`, + request: req, + reporter: "PKCE Checker", + }); + } + +/* + sdk.console.log(`${req.getHost()} Original Status: ` + resOriginal.status); + sdk.console.log(`${req.getHost()} Downgraded Status: ` + resDowngraded.status); + + sdk.console.log(`${req.getHost()} Original Headers: ` + JSON.stringify(resOriginal.headers)); + sdk.console.log(`${req.getHost()} Downgraded Headers: ` + JSON.stringify(resDowngraded.headers)); + + // Caido Dev Docs 기준으로, 리다이렉트된 URL은 Response 객체의 url 속성에 저장되어 있음 + const locationOriginal = resOriginal.url ?? ""; + const locationDowngraded = resDowngraded.url ?? ""; + + sdk.console.log(`${req.getHost()} Original Location: ` + locationOriginal); + sdk.console.log(`${req.getHost()} Downgraded Location: ` + locationDowngraded); const statusEqual = resOriginal.status === resDowngraded.status; - const codeInBoth = bodyOriginal.includes("code=") && bodyDowngraded.includes("code="); + const codeInRedirects = locationOriginal.includes("code=") && locationDowngraded.includes("code="); - if (statusEqual && codeInBoth) { + if (statusEqual && codeInRedirects) { const title = isOpenID ? "[CRITICAL] OpenID Flow PKCE Downgraded to Plaintext" : "[CRITICAL] OAuth2 Flow PKCE Downgraded to Plaintext"; @@ -80,13 +127,13 @@ export class PKCECheck { await sdk.findings.create({ title, - description: `PKCE downgrade detected for ${url}.\n\nDowngraded URL: ${downgradedUrl}\n\nReference: ${reference}`, + description: `PKCE downgrade detected for ${url}.\n\nDowngraded URL: ${downgradedUrl}\n\nRedirect contained code=.\n\nReference: ${reference}`, request: req, reporter: "", }); return true; - } + }*/ } catch (err) { sdk.console.error(`PKCE downgrade check failed for ${url}: ${String(err)}`); } diff --git a/playground/PKCEDowngrade/.env.example b/playground/PKCEDowngrade/.env.example new file mode 100644 index 0000000..13f5f37 --- /dev/null +++ b/playground/PKCEDowngrade/.env.example @@ -0,0 +1,2 @@ +GITHUB_CLIENT_ID= +GITHUB_CLIENT_SECRET= From 5fed2eb7d043b3ec4a0cea6dcad93de6e67b2745 Mon Sep 17 00:00:00 2001 From: "tv0924@icloud.com" Date: Sat, 31 May 2025 11:47:52 +0900 Subject: [PATCH 13/20] [Update] index --- dist/plugin_package.zip | Bin 15097 -> 15658 bytes packages/backend/src/index.ts | 29 +++++++++++++++-------------- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/dist/plugin_package.zip b/dist/plugin_package.zip index b24f0ab51b884d0bd98f2c5fc67f6a3aa4974095..28184677ccc0929e907d8d2e3ba3431c8285501f 100644 GIT binary patch delta 2144 zcmexax~hsdz?+$civa|#iSD1stIT{&bpJ-<9h&k%sfDGf#U;T7smThp3TZ|8xe7|j ziJ2++R;4AGImMf0wAdKgi&GPek~0D(M{{YoC+FuCmnama7M5lfrKWhNRu(JRDnu(K z=VYelmBeSJDCsCD6{Qvz;c!Q`*nH6|$1 z>8T|eO2x_f1*uA!_IjCl$vLGdsl^&f`30$YnJG$|3N!CuQvEy>7F0cotMQBXuSX>x(S-R3#E;fy>1-p;NH z&Kar6*{Ma7{~2g)4%c6fDe8dY)s)nn)RI&UCG1vXRSNQ1J*v-A^2_tmixN{(Qvyp< ziz?9rq$EGMq$o2lT?6VPNN^M7)hK5o` zNl8JmlBR;a0+gv>1z{;oUTY}N1~Fjr3q$|<;*@MXkg54Osd_p2=^6#YZd&9GSf5j5_1$ngM6$M5)`ySF$i@JVcjlp4&`83k7?cTY z74lNc6_B!p29naE9H^xV3LwRL#i=Du`6-neQ0Ic#nqVc97fMJ>X5<$Wfl7I#CZ?no z6>Df}YARGuj^o#_hZz8o0i|dig|ft)(p0^y{LDNJP_}^>1wQ zkdh8G!+@eDCAB!YD6^m>Ge6HtAt59q6;#@Rs!N5EdEsqG16PocW@u1vEF%L02=js(2ylGXih&_FF)uSMwYWqtt2jR| Wz?+o~B+Jae%&?w;fg#lf!~+1$aIoY6 delta 1670 zcmZ2g^|O>Wz?+$civa}I+U}XitIWLCcF#uR9h!z|sU^u7ItoFlg{7&*B?^hf3T_|~ z7{68_ttdZNK`A*gGbP_Dqokx@GnW<{qft?6VQFSjYDz$2QDSbff~`WdQgTjaYFk+UU6!CNo7H*ZE}9fRMk3QJRqD)ln+l5T~co2YvCRb@0Om5TX+q^+HoN@981Fgwdb%c~t zQb7(14f1r(&n?K$OU*0MKr$xUFjmugvxWW|h=wnQ0`-BQkb!%uD77FbF*y~Nx4^zq zv)9*AP*T#=!=cy~hpK3MwOAF1R){B)^Ye-)R~z!Eh8E>0*eWEbR2QWd>ZPZagcjv! zXzCRg#7-7A@~ToI4gA$wqPMs-mt3z>^0ku088qIJ|B;}`6B76bjVf98m zR(~LcfL=*zMTrK;sZf`q1PD|Xha-wh5=%;pT?iB@c-uMa69^zu?m^ot8plZ&AOx|!+uWxDx^r6n0gx`y!v zx&}si86~+n%0+3(dc~>9C7Jnodd7N&dKTtN3RVc?QW8rNONtVcvr~)oGE+;^^zw_+ z^;7bb^+B5Ti_((K&5X^!j+}f^SBqOg0qi>+E(L|jJ_gd0-7JNC6w>mG6jZ89i*jo9 zxVR7@st_9FW2K-{jgmNPxwwL0J_Jd^y<3|AHuRpJ+~f)i-pLa!L?#Q%32t6!p~^V< zg5}1^-BxCjamQcmvan!a0AWZy!NI`5u-10Z=37?N89_D0; const csrfCheck = new CsrfCheck(); -const implicitGrantController = new ImplicitGrantController(); -const authZCodeGrantController = new AuthZCodeGrantController(); +// const implicitGrantController = new ImplicitGrantController(); +// const authZCodeGrantController = new AuthZCodeGrantController(); const pkceCheckController = new PKCECheck(); export function init(sdk: SDK) { @@ -29,20 +29,21 @@ export function init(sdk: SDK) { sdk.events.onInterceptResponse( async (sdk: SDK, {}>, req: Request, resp: Response) => { await csrfCheck.checker(sdk, req, resp); - sdk.events.onInterceptRequest(async (sdk, req: Request) => { - const result = - authZCodeGrantController.testReq(req) || - implicitGrantController.testReq(req); - - if (result) { await pkceCheckController.test(sdk, req); + // sdk.events.onInterceptRequest(async (sdk, req: Request) => { + // const result = + // authZCodeGrantController.testReq(req) || + // implicitGrantController.testReq(req); - await sdk.findings.create({ - title: "Possible SSO Request Detected", - description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`, - request: req, - reporter: "", - }); + // if (result) { + // await pkceCheckController.test(sdk, req); + + // await sdk.findings.create({ + // title: "Possible SSO Request Detected", + // description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`, + // request: req, + // reporter: "", + // }); } ); } From dfeab629d771a8b3f7802b5f8dca7696606fe661 Mon Sep 17 00:00:00 2001 From: seungyeoncherry Date: Sat, 31 May 2025 11:49:11 +0900 Subject: [PATCH 14/20] [Add] Scope Detection --- .../backend/src/controller/scopeDetection.ts | 89 +++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 packages/backend/src/controller/scopeDetection.ts diff --git a/packages/backend/src/controller/scopeDetection.ts b/packages/backend/src/controller/scopeDetection.ts new file mode 100644 index 0000000..9c8610e --- /dev/null +++ b/packages/backend/src/controller/scopeDetection.ts @@ -0,0 +1,89 @@ +import type { DefineAPI, SDK } from "caido:plugin"; +import { RequestSpec } from "caido:utils"; + +const scan = async ( // scan 함수 정의 + sdk: SDK, + url: string +): Promise<{ data: string }> => { + sdk.console.log(`들어온 url : ${url}`); // url이 잘 들어왔는지 확인함요 + + // url이 string이 아니고 , 값이 없거나 그럴 때 유효한 값 넣으라고 출력. + if (!url || typeof url !== "string") { + sdk.console.log("이상한 url 입력함."); + return { data: "알맞은 URL을 입력하세요." }; + } + + try { + const spec = new RequestSpec(url); // url에 GET 요청 보낼거긔. + spec.setMethod("GET"); + spec.setHeader("User-Agent", "Caido Scanner"); + spec.setHeader("Accept", "*/*"); + sdk.console.log(`요청 URL: ${url}`); + + const res = await sdk.requests.send(spec); // 요청 보내고 응답 받음. + sdk.console.log('[SCAN] 응답 :', res); + sdk.console.log(`[SCAN] 요청 성공:${(res as any).status}`); + sdk.console.log(`[SCAN] body: ${(res as any).body ? (res as any).body.toString().substring(0, 100) : "없음"}`); + + const html = (res as any).body ? (res as any).body.toString() : ""; + + // ]*href="([^"]+)"[^>]*>/gi; + const anchors: string[] = []; + let match; + while ((match = anchorRegex.exec(html)) !== null) { // html에서 a href 찾아 배열에 저장함. + if (typeof match[1] === "string") { + anchors.push(match[1]); + } + } + sdk.console.log(`찾아진 a href 개수: ${anchors.length}`); + + // 5. scope 탐지 + const results: string[] = []; + anchors.forEach((href) => { // 추출한 a href 링크 하나씩 검사드감. + try { + const absHref = new URL(href, url).href; // 상대경로라면 url 기준으로 절대 URL 바꿔줌줌 + sdk.console.log(`[SCAN] 절대 URL 변환: ${href} -> ${absHref}`); // + + if (/oauth|authorize|login|accounts|auth/i.test(absHref)) { // url에 이런 OAuth 키워드가 있는지 필터링. + let u: URL; + try { + u = new URL(absHref); // 필터링된 url을 url 객체로 파싱. 정식 url인 경우 변수 u에 저장. + } catch (err) { // 파싱 실패하면 + sdk.console.log( + `URL 파싱 실패 : ${absHref} (${err instanceof Error ? err.message : err})` + ); + return; + } + + try { + const scope = u.searchParams.get("scope"); // url에 scope있긔?scope값 가져와. + if (scope && /all|\*/i.test(scope)) { // scope가 존재하고 all, *있다면. + results.push(`위험한 scope 발견: ${scope}\n -> ${absHref}`); // results에 경고 메시지 전달. + } + } catch (err) { + sdk.console.log(`searchParams.get 실패`); + } + } + } catch (e) { + sdk.console.log( + `URL 파싱 실패 (absHref 단계): ${href} (${e instanceof Error ? e.message : e})` + ); + } + }); + + const resultStr = results.join("\n") || "위험한 scope가 발견되지 않았습니다."; + return { data: resultStr }; // 성공했는지 실패했는지 App.vue한테 전달할 메시지. + } catch (e) { + sdk.console.log(`백엔드 에러: ${e instanceof Error ? e.message : e}`); + return { data: "백엔드 에러: " + (e instanceof Error ? e.message : String(e)) }; // App.vue에 전달할 메시지. + } +}; + +export type API = DefineAPI<{ + scan: typeof scan; +}>; + +export function init(sdk: SDK) { + sdk.api.register("scan", scan); +} \ No newline at end of file From b1f3534e1cd6d3f0f33d6a3b563d965784929454 Mon Sep 17 00:00:00 2001 From: imnyang Date: Sat, 31 May 2025 11:55:15 +0900 Subject: [PATCH 15/20] =?UTF-8?q?=ED=8F=AC=ED=8C=85=EC=9D=80=20=ED=96=88?= =?UTF-8?q?=EB=8A=94=EB=8D=B0=20=ED=85=8C=EC=8A=A4=ED=8A=B8=EB=8A=94=20?= =?UTF-8?q?=EC=95=88=ED=95=B4=EB=B3=B4=EA=B8=B4=20=ED=96=88=EC=96=B4?= =?UTF-8?q?=EC=9A=94=20=ED=85=8C=EC=8A=A4=ED=8A=B8=EC=A2=80=20=ED=95=B4?= =?UTF-8?q?=EC=A3=BC=EC=84=B8=EC=9A=94?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- bun.lock | 52 ++++-- package.json | 4 + .../backend/src/controller/scopeDetection.ts | 148 +++++++++--------- packages/backend/src/index.ts | 3 + 4 files changed, 119 insertions(+), 88 deletions(-) diff --git a/bun.lock b/bun.lock index 289e8aa..6fa7969 100644 --- a/bun.lock +++ b/bun.lock @@ -3,6 +3,10 @@ "workspaces": { "": { "name": "caido-oauth", + "dependencies": { + "@types/jsonwebtoken": "^9.0.9", + "jsonwebtoken": "^9.0.2", + }, "devDependencies": { "@caido-community/dev": "^0.1.3", "@caido/sdk-backend": "^0.48.1", @@ -127,6 +131,12 @@ "@types/estree": ["@types/estree@1.0.7", "", {}, "sha512-w28IoSUCJpidD/TGviZwwMJckNESJZXFu7NBZ5YJ4mEUnNraUn9Pm8HSZm/jDF1pDWYKspWE7oVphigUPRakIQ=="], + "@types/jsonwebtoken": ["@types/jsonwebtoken@9.0.9", "", { "dependencies": { "@types/ms": "*", "@types/node": "*" } }, "sha512-uoe+GxEuHbvy12OUQct2X9JenKM3qAscquYymuQN4fMWG9DBQtykrQEFcAbVACF7qaLw9BePSodUL0kquqBJpQ=="], + + "@types/ms": ["@types/ms@2.1.0", "", {}, "sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA=="], + + "@types/node": ["@types/node@22.15.29", "", { "dependencies": { "undici-types": "~6.21.0" } }, "sha512-LNdjOkUDlU1RZb8e1kOIUpN1qQUlzGkEtbVNo53vbrwDg5om6oduhm4SiUaPW5ASTXhAiP0jInWG8Qx9fVlOeQ=="], + "accepts": ["accepts@2.0.0", "", { "dependencies": { "mime-types": "^3.0.0", "negotiator": "^1.0.0" } }, "sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng=="], "ajv": ["ajv@8.17.1", "", { "dependencies": { "fast-deep-equal": "^3.1.3", "fast-uri": "^3.0.1", "json-schema-traverse": "^1.0.0", "require-from-string": "^2.0.2" } }, "sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g=="], @@ -143,6 +153,8 @@ "brace-expansion": ["brace-expansion@2.0.1", "", { "dependencies": { "balanced-match": "^1.0.0" } }, "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA=="], + "buffer-equal-constant-time": ["buffer-equal-constant-time@1.0.1", "", {}, "sha512-zRpUiDwd/xk6ADqPMATG8vc9VPrkck7T07OIx0gnjmJAnHnTVXNQG3vfvWNuiZIkwu9KrKdA1iJKfsfTVxE6NA=="], + "bundle-require": ["bundle-require@5.1.0", "", { "dependencies": { "load-tsconfig": "^0.2.3" }, "peerDependencies": { "esbuild": ">=0.18" } }, "sha512-3WrrOuZiyaaZPWiEt4G3+IffISVC9HYlWueJEBWED4ZH4aIAC2PnkdnuRrR94M+w6yGWn4AglWtJtBI8YqvgoA=="], "bytes": ["bytes@3.1.2", "", {}, "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg=="], @@ -185,6 +197,8 @@ "eastasianwidth": ["eastasianwidth@0.2.0", "", {}, "sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA=="], + "ecdsa-sig-formatter": ["ecdsa-sig-formatter@1.0.11", "", { "dependencies": { "safe-buffer": "^5.0.1" } }, "sha512-nagl3RYrbNv6kQkeJIpt6NJZy8twLB/2vtz6yN9Z4vRKHN4/QZJIEbqohALSgwKdnksuY3k5Addp5lg8sVoVcQ=="], + "ee-first": ["ee-first@1.1.1", "", {}, "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow=="], "emoji-regex": ["emoji-regex@9.2.2", "", {}, "sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg=="], @@ -261,8 +275,14 @@ "json-schema-traverse": ["json-schema-traverse@1.0.0", "", {}, "sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug=="], + "jsonwebtoken": ["jsonwebtoken@9.0.2", "", { "dependencies": { "jws": "^3.2.2", "lodash.includes": "^4.3.0", "lodash.isboolean": "^3.0.3", "lodash.isinteger": "^4.0.4", "lodash.isnumber": "^3.0.3", "lodash.isplainobject": "^4.0.6", "lodash.isstring": "^4.0.1", "lodash.once": "^4.0.0", "ms": "^2.1.1", "semver": "^7.5.4" } }, "sha512-PRp66vJ865SSqOlgqS8hujT5U4AOgMfhrwYIuIhfKaoSCZcirrmASQr8CX7cUg+RMih+hgznrjp99o+W4pJLHQ=="], + "jszip": ["jszip@3.10.1", "", { "dependencies": { "lie": "~3.3.0", "pako": "~1.0.2", "readable-stream": "~2.3.6", "setimmediate": "^1.0.5" } }, "sha512-xXDvecyTpGLrqFrvkrUSoxxfJI5AH7U8zxxtVclpsUtMCq4JQ290LY8AW5c7Ggnr/Y/oK+bQMbqK2qmtk3pN4g=="], + "jwa": ["jwa@1.4.2", "", { "dependencies": { "buffer-equal-constant-time": "^1.0.1", "ecdsa-sig-formatter": "1.0.11", "safe-buffer": "^5.0.1" } }, "sha512-eeH5JO+21J78qMvTIDdBXidBd6nG2kZjg5Ohz/1fpa28Z4CcsWUzJ1ZZyFq/3z3N17aZy+ZuBoHljASbL1WfOw=="], + + "jws": ["jws@3.2.2", "", { "dependencies": { "jwa": "^1.4.1", "safe-buffer": "^5.0.1" } }, "sha512-YHlZCB6lMTllWDtSPHz/ZXTsi8S00usEV6v1tjq8tOUZzw7DpSDWVXjXDre6ed1w/pd495ODpHZYSdkRTsa0HA=="], + "lie": ["lie@3.3.0", "", { "dependencies": { "immediate": "~3.0.5" } }, "sha512-UaiMJzeWRlEujzAuw5LokY1L5ecNQYZKfmyZ9L7wDHb/p5etKaxXhohBcrw0EYby+G/NA52vRSN4N39dxHAIwQ=="], "lilconfig": ["lilconfig@3.1.3", "", {}, "sha512-/vlFKAoH5Cgt3Ie+JLhRbwOsCQePABiU3tJ1egGvyQ+33R/vcwM2Zl2QR/LzjsBeItPt3oSVXapn+m4nQDvpzw=="], @@ -271,6 +291,20 @@ "load-tsconfig": ["load-tsconfig@0.2.5", "", {}, "sha512-IXO6OCs9yg8tMKzfPZ1YmheJbZCiEsnBdcB03l0OcfK9prKnJb96siuHCr5Fl37/yo9DnKU+TLpxzTUspw9shg=="], + "lodash.includes": ["lodash.includes@4.3.0", "", {}, "sha512-W3Bx6mdkRTGtlJISOvVD/lbqjTlPPUDTMnlXZFnVwi9NKJ6tiAk6LVdlhZMm17VZisqhKcgzpO5Wz91PCt5b0w=="], + + "lodash.isboolean": ["lodash.isboolean@3.0.3", "", {}, "sha512-Bz5mupy2SVbPHURB98VAcw+aHh4vRV5IPNhILUCsOzRmsTmSQ17jIuqopAentWoehktxGd9e/hbIXq980/1QJg=="], + + "lodash.isinteger": ["lodash.isinteger@4.0.4", "", {}, "sha512-DBwtEWN2caHQ9/imiNeEA5ys1JoRtRfY3d7V9wkqtbycnAmTvRRmbHKDV4a0EYc678/dia0jrte4tjYwVBaZUA=="], + + "lodash.isnumber": ["lodash.isnumber@3.0.3", "", {}, "sha512-QYqzpfwO3/CWf3XP+Z+tkQsfaLL/EnUlXWVkIk5FUPc4sBdTehEqZONuyRt2P67PXAk+NXmTBcc97zw9t1FQrw=="], + + "lodash.isplainobject": ["lodash.isplainobject@4.0.6", "", {}, "sha512-oSXzaWypCMHkPC3NvBEaPHf0KsA5mvPrOPgQWDsbg8n7orZ290M0BmC/jgRZ4vcJ6DTAhjrsSYgdsW/F+MFOBA=="], + + "lodash.isstring": ["lodash.isstring@4.0.1", "", {}, "sha512-0wJxfxH1wgO3GrbuP+dTTk7op+6L41QCXbGINEmD+ny/G/eCqGzxyCsh7159S+mgDDcoarnBw6PC1PS5+wUGgw=="], + + "lodash.once": ["lodash.once@4.1.1", "", {}, "sha512-Sb487aTOCr9drQVL8pIxOzVhafOjZN9UU54hiN8PU3uAiSV7lx1yYNpbNmex2PK6dSJoNTSJUUswT651yww3Mg=="], + "lodash.sortby": ["lodash.sortby@4.7.0", "", {}, "sha512-HDWXG8isMntAyRF5vZ7xKuEvOhT4AhlRt/3czTSjvGUxjYCBVRQY48ViDHyfYz9VIoBkW4TMGQNapx+l3RUwdA=="], "lru-cache": ["lru-cache@11.1.0", "", {}, "sha512-QIXZUBJUx+2zHUdQujWejBkcD9+cs94tLn0+YL8UrCh+D5sCXZ4c7LaEH48pNwRY3MLDgqUFyhlCyjJPf1WP0A=="], @@ -291,7 +325,7 @@ "minipass": ["minipass@7.1.2", "", {}, "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw=="], - "ms": ["ms@2.1.2", "", {}, "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="], + "ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="], "mz": ["mz@2.7.0", "", { "dependencies": { "any-promise": "^1.0.0", "object-assign": "^4.0.1", "thenify-all": "^1.0.0" } }, "sha512-z81GNO7nnYMEhrGh9LeymoE4+Yr0Wn5McHIZMK5cfQCl+NDX08sCZgUc9/6MHni9IWuFLm1Z3HTCXu2z9fN62Q=="], @@ -357,6 +391,8 @@ "safer-buffer": ["safer-buffer@2.1.2", "", {}, "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="], + "semver": ["semver@7.7.2", "", { "bin": { "semver": "bin/semver.js" } }, "sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA=="], + "send": ["send@1.2.0", "", { "dependencies": { "debug": "^4.3.5", "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "etag": "^1.8.1", "fresh": "^2.0.0", "http-errors": "^2.0.0", "mime-types": "^3.0.1", "ms": "^2.1.3", "on-finished": "^2.4.1", "range-parser": "^1.2.1", "statuses": "^2.0.1" } }, "sha512-uaW0WwXKpL9blXE2o0bRhoL2EGXIrZxQ2ZQ4mgcfoBxdFmQold+qWsD2jLrfZ0trjKL6vOw0j//eAwcALFjKSw=="], "serve-static": ["serve-static@2.2.0", "", { "dependencies": { "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "parseurl": "^1.3.3", "send": "^1.2.0" } }, "sha512-61g9pCh0Vnh7IutZjtLGGpTA355+OPn2TyDv/6ivP2h/AdAVX9azsoxmg2/M6nZeQZNYBEwIcsne1mJd9oQItQ=="], @@ -419,6 +455,8 @@ "typescript": ["typescript@5.5.4", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-Mtq29sKDAEYP7aljRgtPOpTvOfbwRWlS6dPRzwjdE+C0R4brX/GUyhHSecbHMFLNBLcJIPt9nl9yG5TZ1weH+Q=="], + "undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="], + "unpipe": ["unpipe@1.0.0", "", {}, "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ=="], "util-deprecate": ["util-deprecate@1.0.2", "", {}, "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw=="], @@ -449,14 +487,14 @@ "body-parser/qs": ["qs@6.14.0", "", { "dependencies": { "side-channel": "^1.1.0" } }, "sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w=="], + "debug/ms": ["ms@2.1.2", "", {}, "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="], + "finalhandler/debug": ["debug@4.4.1", "", { "dependencies": { "ms": "^2.1.3" } }, "sha512-KcKCqiftBJcZr++7ykoDIEwSa3XWowTfNPo92BYxjXiyYEVrUQh2aLyhxBCwww+heortUFxEJYcRzosstTEBYQ=="], "readable-stream/safe-buffer": ["safe-buffer@5.1.2", "", {}, "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g=="], "router/debug": ["debug@4.4.1", "", { "dependencies": { "ms": "^2.1.3" } }, "sha512-KcKCqiftBJcZr++7ykoDIEwSa3XWowTfNPo92BYxjXiyYEVrUQh2aLyhxBCwww+heortUFxEJYcRzosstTEBYQ=="], - "send/ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="], - "string-width-cjs/emoji-regex": ["emoji-regex@8.0.0", "", {}, "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A=="], "string-width-cjs/strip-ansi": ["strip-ansi@6.0.1", "", { "dependencies": { "ansi-regex": "^5.0.1" } }, "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A=="], @@ -477,12 +515,6 @@ "wrap-ansi-cjs/strip-ansi": ["strip-ansi@6.0.1", "", { "dependencies": { "ansi-regex": "^5.0.1" } }, "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A=="], - "body-parser/debug/ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="], - - "finalhandler/debug/ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="], - - "router/debug/ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="], - "string-width-cjs/strip-ansi/ansi-regex": ["ansi-regex@5.0.1", "", {}, "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ=="], "sucrase/glob/jackspeak": ["jackspeak@3.4.3", "", { "dependencies": { "@isaacs/cliui": "^8.0.2" }, "optionalDependencies": { "@pkgjs/parseargs": "^0.11.0" } }, "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw=="], @@ -491,8 +523,6 @@ "sucrase/glob/path-scurry": ["path-scurry@1.11.1", "", { "dependencies": { "lru-cache": "^10.2.0", "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0" } }, "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA=="], - "tsup/debug/ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="], - "wrap-ansi-cjs/string-width/emoji-regex": ["emoji-regex@8.0.0", "", {}, "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A=="], "wrap-ansi-cjs/strip-ansi/ansi-regex": ["ansi-regex@5.0.1", "", {}, "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ=="], diff --git a/package.json b/package.json index 7d2ba1b..a1e0324 100644 --- a/package.json +++ b/package.json @@ -11,5 +11,9 @@ "@caido-community/dev": "^0.1.3", "@caido/sdk-backend": "^0.48.1", "typescript": "5.5.4" + }, + "dependencies": { + "@types/jsonwebtoken": "^9.0.9", + "jsonwebtoken": "^9.0.2" } } diff --git a/packages/backend/src/controller/scopeDetection.ts b/packages/backend/src/controller/scopeDetection.ts index 9c8610e..9b74dcc 100644 --- a/packages/backend/src/controller/scopeDetection.ts +++ b/packages/backend/src/controller/scopeDetection.ts @@ -1,89 +1,83 @@ -import type { DefineAPI, SDK } from "caido:plugin"; +import type { SDK } from "caido:plugin"; import { RequestSpec } from "caido:utils"; -const scan = async ( // scan 함수 정의 - sdk: SDK, - url: string -): Promise<{ data: string }> => { - sdk.console.log(`들어온 url : ${url}`); // url이 잘 들어왔는지 확인함요 - - // url이 string이 아니고 , 값이 없거나 그럴 때 유효한 값 넣으라고 출력. - if (!url || typeof url !== "string") { - sdk.console.log("이상한 url 입력함."); - return { data: "알맞은 URL을 입력하세요." }; - } - - try { - const spec = new RequestSpec(url); // url에 GET 요청 보낼거긔. - spec.setMethod("GET"); - spec.setHeader("User-Agent", "Caido Scanner"); - spec.setHeader("Accept", "*/*"); - sdk.console.log(`요청 URL: ${url}`); - - const res = await sdk.requests.send(spec); // 요청 보내고 응답 받음. - sdk.console.log('[SCAN] 응답 :', res); - sdk.console.log(`[SCAN] 요청 성공:${(res as any).status}`); - sdk.console.log(`[SCAN] body: ${(res as any).body ? (res as any).body.toString().substring(0, 100) : "없음"}`); - - const html = (res as any).body ? (res as any).body.toString() : ""; - - // ]*href="([^"]+)"[^>]*>/gi; - const anchors: string[] = []; - let match; - while ((match = anchorRegex.exec(html)) !== null) { // html에서 a href 찾아 배열에 저장함. - if (typeof match[1] === "string") { - anchors.push(match[1]); - } +export class ScopeDetection { + async scan( + sdk: SDK, + url: string + ): Promise<{ data: string }> { + sdk.console.log(`들어온 url : ${url}`); // url이 잘 들어왔는지 확인함요 + + // url이 string이 아니고 , 값이 없거나 그럴 때 유효한 값 넣으라고 출력. + if (!url || typeof url !== "string") { + sdk.console.log("이상한 url 입력함."); + return { data: "알맞은 URL을 입력하세요." }; } - sdk.console.log(`찾아진 a href 개수: ${anchors.length}`); - // 5. scope 탐지 - const results: string[] = []; - anchors.forEach((href) => { // 추출한 a href 링크 하나씩 검사드감. - try { - const absHref = new URL(href, url).href; // 상대경로라면 url 기준으로 절대 URL 바꿔줌줌 - sdk.console.log(`[SCAN] 절대 URL 변환: ${href} -> ${absHref}`); // + try { + const spec = new RequestSpec(url); // url에 GET 요청 보낼거긔. + spec.setMethod("GET"); + spec.setHeader("User-Agent", "Caido Scanner"); + spec.setHeader("Accept", "*/*"); + sdk.console.log(`요청 URL: ${url}`); - if (/oauth|authorize|login|accounts|auth/i.test(absHref)) { // url에 이런 OAuth 키워드가 있는지 필터링. - let u: URL; - try { - u = new URL(absHref); // 필터링된 url을 url 객체로 파싱. 정식 url인 경우 변수 u에 저장. - } catch (err) { // 파싱 실패하면 - sdk.console.log( - `URL 파싱 실패 : ${absHref} (${err instanceof Error ? err.message : err})` - ); - return; - } + const res = await sdk.requests.send(spec); // 요청 보내고 응답 받음. + sdk.console.log('[SCAN] 응답 :', res); + sdk.console.log(`[SCAN] 요청 성공:${(res as any).status}`); + sdk.console.log(`[SCAN] body: ${(res as any).body ? (res as any).body.toString().substring(0, 100) : "없음"}`); - try { - const scope = u.searchParams.get("scope"); // url에 scope있긔?scope값 가져와. - if (scope && /all|\*/i.test(scope)) { // scope가 존재하고 all, *있다면. - results.push(`위험한 scope 발견: ${scope}\n -> ${absHref}`); // results에 경고 메시지 전달. - } - } catch (err) { - sdk.console.log(`searchParams.get 실패`); - } + const html = (res as any).body ? (res as any).body.toString() : ""; + + // ]*href="([^"]+)"[^>]*>/gi; + const anchors: string[] = []; + let match; + while ((match = anchorRegex.exec(html)) !== null) { // html에서 a href 찾아 배열에 저장함. + if (typeof match[1] === "string") { + anchors.push(match[1]); } - } catch (e) { - sdk.console.log( - `URL 파싱 실패 (absHref 단계): ${href} (${e instanceof Error ? e.message : e})` - ); } - }); + sdk.console.log(`찾아진 a href 개수: ${anchors.length}`); - const resultStr = results.join("\n") || "위험한 scope가 발견되지 않았습니다."; - return { data: resultStr }; // 성공했는지 실패했는지 App.vue한테 전달할 메시지. - } catch (e) { - sdk.console.log(`백엔드 에러: ${e instanceof Error ? e.message : e}`); - return { data: "백엔드 에러: " + (e instanceof Error ? e.message : String(e)) }; // App.vue에 전달할 메시지. - } -}; + // 5. scope 탐지 + const results: string[] = []; + anchors.forEach((href) => { // 추출한 a href 링크 하나씩 검사드감. + try { + const absHref = new URL(href, url).href; // 상대경로라면 url 기준으로 절대 URL 바꿔줌줌 + sdk.console.log(`[SCAN] 절대 URL 변환: ${href} -> ${absHref}`); // -export type API = DefineAPI<{ - scan: typeof scan; -}>; + if (/oauth|authorize|login|accounts|auth/i.test(absHref)) { // url에 이런 OAuth 키워드가 있는지 필터링. + let u: URL; + try { + u = new URL(absHref); // 필터링된 url을 url 객체로 파싱. 정식 url인 경우 변수 u에 저장. + } catch (err) { // 파싱 실패하면 + sdk.console.log( + `URL 파싱 실패 : ${absHref} (${err instanceof Error ? err.message : err})` + ); + return; + } -export function init(sdk: SDK) { - sdk.api.register("scan", scan); + try { + const scope = u.searchParams.get("scope"); // url에 scope있긔?scope값 가져와. + if (scope && /all|\*/i.test(scope)) { // scope가 존재하고 all, *있다면. + results.push(`위험한 scope 발견: ${scope}\n -> ${absHref}`); // results에 경고 메시지 전달. + } + } catch (err) { + sdk.console.log(`searchParams.get 실패`); + } + } + } catch (e) { + sdk.console.log( + `URL 파싱 실패 (absHref 단계): ${href} (${e instanceof Error ? e.message : e})` + ); + } + }); + + const resultStr = results.join("\n") || "위험한 scope가 발견되지 않았습니다."; + return { data: resultStr }; // 성공했는지 실패했는지 App.vue한테 전달할 메시지. + } catch (e) { + sdk.console.log(`백엔드 에러: ${e instanceof Error ? e.message : e}`); + return { data: "백엔드 에러: " + (e instanceof Error ? e.message : String(e)) }; // App.vue에 전달할 메시지. + } + }; } \ No newline at end of file diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts index 2eccd6d..244a3e2 100644 --- a/packages/backend/src/index.ts +++ b/packages/backend/src/index.ts @@ -3,12 +3,14 @@ import type { Request } from "caido:utils"; import { ImplicitGrantController } from "./controller/implictGrant"; import { AuthZCodeGrantController } from "./controller/authZCodeGrant"; import { PKCECheck } from "./controller/PKCECheck"; +import { ScopeDetection } from "./controller/scopeDetection"; export type API = DefineAPI<{}>; const implicitGrantController = new ImplicitGrantController(); const authZCodeGrantController = new AuthZCodeGrantController(); const pkceCheckController = new PKCECheck(); +const ScopeDetectionController = new ScopeDetection(); // function matchSSORequest(req: Request): boolean { // const raw = req.getRaw().toString(); @@ -36,6 +38,7 @@ export function init(sdk: SDK) { if (result) { await pkceCheckController.test(sdk, req); + await ScopeDetectionController.scan(sdk, req.getUrl()); await sdk.findings.create({ title: "Possible SSO Request Detected", From 858dfd16dc24600d4bb604ce9e6f457e66129be8 Mon Sep 17 00:00:00 2001 From: KMINGON Date: Sun, 25 May 2025 21:43:21 +0900 Subject: [PATCH 16/20] =?UTF-8?q?FEAT=20:=20AccessToken=20=EB=B0=8F=20?= =?UTF-8?q?=EA=B0=81=EC=A2=85=20=ED=86=A0=ED=81=B0=20=EC=A1=B4=EC=9E=AC=20?= =?UTF-8?q?=EC=97=AC=EB=B6=80=20=ED=99=95=EC=9D=B8=ED=95=98=EB=8A=94=20con?= =?UTF-8?q?troller=20=EC=9E=91=EC=84=B1,=20=ED=85=8C=EC=8A=A4=ED=8A=B8=20?= =?UTF-8?q?=ED=95=84=EC=9A=94?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../src/controller/accessTokenDetector.ts | 146 ++++++++++++++++++ 1 file changed, 146 insertions(+) create mode 100644 packages/backend/src/controller/accessTokenDetector.ts diff --git a/packages/backend/src/controller/accessTokenDetector.ts b/packages/backend/src/controller/accessTokenDetector.ts new file mode 100644 index 0000000..fb3d03f --- /dev/null +++ b/packages/backend/src/controller/accessTokenDetector.ts @@ -0,0 +1,146 @@ +import type { Request, Response } from "caido:utils"; + +// 토큰 누출 검사 결과를 담는 구조 +export interface TokenLeakResult { + found: boolean; // 토큰이 발견되었는지 여부 (true/false) + location: 'url' | 'body' | 'header'; // 토큰이 발견된 위치 (url, body, header 중 하나) + title: string; // 경고 제목 + description: string; // 상세 설명 + value?: string; // 실제 발견된 값 (선택적) +} + +// 액세스 토큰 누출 검사 클래스 +export class AccessTokenLeakController { + + /** + * @param request - 검사할 HTTP 요청 객체 + * @returns 토큰이 발견되면 결과 객체, 없으면 null + */ + async testReq(request: Request): Promise { + + // === 1. URL에서 토큰 검사 === + const url = request.getUrl(); + + const extractedTokenFromUrl = this.extractTokenFromText(url); + + if (extractedTokenFromUrl) { + return { + found: true, + location: 'url', + title: "Access Token Leak in URL", + description: `요청 URL에 액세스 토큰 파라미터가 포함되어 있습니다. (토큰: ${extractedTokenFromUrl.substring(0, 20)}...)`, + value: url + }; + } + + // === 2. 요청 본문(Body)에서 토큰 검사 === + const body = request.getBody(); + + if (body) { + const bodyText = await body.toText(); + + const extractedTokenFromBody = this.extractTokenFromText(bodyText); + + if (extractedTokenFromBody) { + return { + found: true, + location: 'body', + title: "Access Token Leak in Request Body", + description: `요청 Body에 access_token 파라미터가 포함되어 있습니다. (토큰: ${extractedTokenFromBody.substring(0, 20)}...)`, + value: bodyText + }; + } + } + + return null; + } + + /** + * HTTP 응답에서 액세스 토큰 누출 검사 + * @param response - 검사할 HTTP 응답 객체 + * @returns 토큰이 발견되면 결과 객체, 없으면 null + */ + async testResp(response: Response): Promise { + + // === 1. Location 헤더에서 토큰 검사 === + const locationHeader = response.getHeader("Location"); + + const locationHeaderStr = Array.isArray(locationHeader) ? locationHeader.join(', ') : locationHeader; + + if (locationHeaderStr) { + const extractedTokenFromHeader = this.extractTokenFromText(locationHeaderStr); + + if (extractedTokenFromHeader) { + return { + found: true, + location: 'header', + title: "Access Token Leak in Redirect URL", + description: `Location 헤더에 액세스 토큰이 노출되었습니다: ${locationHeaderStr} (토큰: ${extractedTokenFromHeader.substring(0, 20)}...)`, + value: locationHeaderStr + }; + } + } + + // === 2. 응답 본문에서 토큰 검사 === + const bodyBytes = response.getBody(); + + if (bodyBytes) { + const bodyText = await bodyBytes.toText(); + + const extractedTokenFromBody = this.extractTokenFromText(bodyText); + + if (extractedTokenFromBody) { + return { + found: true, + location: 'body', + title: "Access Token Leak in Response Body", + description: `HTTP 응답 본문에 'access_token' 토큰이 노출되었습니다. (토큰: ${extractedTokenFromBody.substring(0, 20)}...)`, + value: bodyText + }; + } + } + + return null; + } + + /** + * 텍스트에서 실제 토큰 값을 추출 + * @param text - 검사할 텍스트 + * @returns 토큰 값이 있으면 해당 값, 없으면 null + */ +private extractTokenFromText(text: string): string | null { + // 토큰 관련 키워드 리스트 + const tokenKeys = [ + 'access_token', + 'id_token', + 'auth_token', + 'token', + 'jwt', + 'session_token' + ]; + + // 정규표현식 패턴 리스트 생성 + const tokenPatterns: RegExp[] = []; + + for (const key of tokenKeys) { + // 1. key=token 또는 key: token + tokenPatterns.push(new RegExp(`${key}[=:]\\s*([a-zA-Z0-9\\-._~+/]+=*)`, 'i')); + + // 2. JSON 형태의 "key": "token" + tokenPatterns.push(new RegExp(`"${key}"\\s*:\\s*"([^"]+)"`, 'i')); + } + + // 3. Authorization: Bearer 형태 + tokenPatterns.push(/bearer\s+([a-zA-Z0-9\-._~+/]+=*)/i); + + // 모든 패턴에 대해 검사 + for (const pattern of tokenPatterns) { + const match = pattern.exec(text); + if (match && match[1]) { + return match[1]; + } + } + + return null; + } +} \ No newline at end of file From 7b704cacf499a68cbc7a4d2cae058bca19d579af Mon Sep 17 00:00:00 2001 From: KMINGON Date: Sat, 31 May 2025 11:55:44 +0900 Subject: [PATCH 17/20] =?UTF-8?q?STYLE=20:=20=EB=A1=9C=EA=B7=B8=20?= =?UTF-8?q?=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../src/controller/accessTokenDetector.ts | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/packages/backend/src/controller/accessTokenDetector.ts b/packages/backend/src/controller/accessTokenDetector.ts index fb3d03f..22be16e 100644 --- a/packages/backend/src/controller/accessTokenDetector.ts +++ b/packages/backend/src/controller/accessTokenDetector.ts @@ -2,21 +2,21 @@ import type { Request, Response } from "caido:utils"; // 토큰 누출 검사 결과를 담는 구조 export interface TokenLeakResult { - found: boolean; // 토큰이 발견되었는지 여부 (true/false) - location: 'url' | 'body' | 'header'; // 토큰이 발견된 위치 (url, body, header 중 하나) - title: string; // 경고 제목 - description: string; // 상세 설명 - value?: string; // 실제 발견된 값 (선택적) + found: boolean; // 토큰이 발견되었는지 여부 (true/false) + location: 'url' | 'body' | 'header'; // 토큰이 발견된 위치 (url, body, header 중 하나) + title: string; // 경고 제목 + description: string; // 상세 설명 + value?: string; // 실제 발견된 값 (선택적) } // 액세스 토큰 누출 검사 클래스 export class AccessTokenLeakController { - - /** - * @param request - 검사할 HTTP 요청 객체 - * @returns 토큰이 발견되면 결과 객체, 없으면 null - */ - async testReq(request: Request): Promise { + + /** + * @param request - 검사할 HTTP 요청 객체 + * @returns 토큰이 발견되면 결과 객체, 없으면 null + */ + async testReq(request: Request): Promise { // === 1. URL에서 토큰 검사 === const url = request.getUrl(); @@ -28,7 +28,7 @@ export class AccessTokenLeakController { found: true, location: 'url', title: "Access Token Leak in URL", - description: `요청 URL에 액세스 토큰 파라미터가 포함되어 있습니다. (토큰: ${extractedTokenFromUrl.substring(0, 20)}...)`, + description: `요청 URL에 토큰이 포함되어 있습니다. (토큰: ${extractedTokenFromUrl.substring(0, 20)}...)`, value: url }; } @@ -46,7 +46,7 @@ export class AccessTokenLeakController { found: true, location: 'body', title: "Access Token Leak in Request Body", - description: `요청 Body에 access_token 파라미터가 포함되어 있습니다. (토큰: ${extractedTokenFromBody.substring(0, 20)}...)`, + description: `요청 Body에 토큰이이 포함되어 있습니다. (토큰: ${extractedTokenFromBody.substring(0, 20)}...)`, value: bodyText }; } @@ -75,7 +75,7 @@ export class AccessTokenLeakController { found: true, location: 'header', title: "Access Token Leak in Redirect URL", - description: `Location 헤더에 액세스 토큰이 노출되었습니다: ${locationHeaderStr} (토큰: ${extractedTokenFromHeader.substring(0, 20)}...)`, + description: `Location 헤더에 토큰이 노출되었습니다: ${locationHeaderStr} (토큰: ${extractedTokenFromHeader.substring(0, 20)}...)`, value: locationHeaderStr }; } @@ -88,13 +88,13 @@ export class AccessTokenLeakController { const bodyText = await bodyBytes.toText(); const extractedTokenFromBody = this.extractTokenFromText(bodyText); - + if (extractedTokenFromBody) { return { found: true, location: 'body', title: "Access Token Leak in Response Body", - description: `HTTP 응답 본문에 'access_token' 토큰이 노출되었습니다. (토큰: ${extractedTokenFromBody.substring(0, 20)}...)`, + description: `HTTP 응답 본문에 토큰이 노출되었습니다. (토큰: ${extractedTokenFromBody.substring(0, 20)}...)`, value: bodyText }; } From d9353220e64867cdb1006fd37a77a8dac467365b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=EC=95=94=EB=83=A5=20=28imnyang=29?= Date: Sat, 31 May 2025 12:03:49 +0900 Subject: [PATCH 18/20] Update README.md --- README.md | 21 ++++----------------- 1 file changed, 4 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index c5497cc..90fb3a9 100644 --- a/README.md +++ b/README.md @@ -1,19 +1,6 @@ # caido-plugin-test -## To-Do -- [ ] PKCE 다운그래이드 https에서 작동 안하는 이슈 고치기 - -```log -2025-05-25T15:52:40.757475Z INFO actix-rt|system:0|arbiter:6 proxy|connect: Client connection (29e74afd-9006-445e-88a9-3fc5d4796af9) -2025-05-25T15:52:40.757530Z INFO actix-rt|system:0|arbiter:6 proxy|connect: Client connected for http://localhost:8787 (29e74afd-9006-445e-88a9-3fc5d4796af9) -2025-05-25T15:52:40.757562Z INFO actix-rt|system:0|arbiter:6 proxy|http1|logger: GET http://localhost/login (29e74afd-9006-445e-88a9-3fc5d4796af9) -2025-05-25T15:52:40.767186Z INFO actix-rt|system:0|arbiter:6 proxy|http1|logger: GET http://localhost:8787/login -> 302 361 (29e74afd-9006-445e-88a9-3fc5d4796af9) -2025-05-25T15:52:40.768696Z INFO actix-rt|system:0|arbiter:9 proxy|http1|logger: GET https://github.com/login/oauth/authorize?client_id=Ov23lixietSCQOHxPvcr&redirect_uri=http%3A%2F%2Flocalhost%3A8787%2Fcallback&scope=read%3Auser&state=bc11db571a4737d0&response_type=code&code_challenge=FtSdQsWI342PKH6BGgKYR6AOzW95LaS0jeVcwTmHaro&code_challenge_method=S256 (90f314dc-9480-4bd8-b7b6-5acba6b8bc7b) -2025-05-25T15:52:41.103596Z INFO actix-rt|system:0|arbiter:9 proxy|http1|logger: GET https://github.com/login/oauth/authorize?client_id=Ov23lixietSCQOHxPvcr&redirect_uri=http%3A%2F%2Flocalhost%3A8787%2Fcallback&scope=read%3Auser&state=bc11db571a4737d0&response_type=code&code_challenge=FtSdQsWI342PKH6BGgKYR6AOzW95LaS0jeVcwTmHaro&code_challenge_method=S256 -> 302 4927 (90f314dc-9480-4bd8-b7b6-5acba6b8bc7b) -2025-05-25T15:52:41.105944Z INFO actix-rt|system:0|arbiter:7 proxy|connect: Client connection (34585a00-9f9f-4c72-b087-2e9e92418dad) -2025-05-25T15:52:41.105993Z INFO actix-rt|system:0|arbiter:7 proxy|connect: Client connected for http://localhost:8787 (34585a00-9f9f-4c72-b087-2e9e92418dad) -2025-05-25T15:52:41.106023Z INFO actix-rt|system:0|arbiter:7 proxy|http1|logger: GET http://localhost/callback?code=10c34dcc4d3f7302e707&state=bc11db571a4737d0 (34585a00-9f9f-4c72-b087-2e9e92418dad) -2025-05-25T15:52:41.108270Z INFO plugin:65ad3a87-0257-4408-a9c7-e0885e04c162 js|sdk: [PKCEDowngradeCheck] Required PKCE parameters missing. Skipping. -2025-05-25T15:52:41.277387Z INFO plugin:65ad3a87-0257-4408-a9c7-e0885e04c162 js|sdk: [PKCEDowngradeCheck] No PKCE downgrade detected. -2025-05-25T15:52:41.686109Z INFO actix-rt|system:0|arbiter:7 proxy|http1|logger: GET http://localhost:8787/callback?code=10c34dcc4d3f7302e707&state=bc11db571a4737d0 -> 200 1582 (34585a00-9f9f-4c72-b087-2e9e92418dad) -``` \ No newline at end of file +```bash +pnpm install +pnpm run watch +``` From f1b5ef5f9b668d57a2c9999b34e142531bc8afac Mon Sep 17 00:00:00 2001 From: KMINGON Date: Sat, 31 May 2025 12:37:54 +0900 Subject: [PATCH 19/20] =?UTF-8?q?REFACTOR=20:=20findings=EB=A5=BCindex?= =?UTF-8?q?=EA=B0=80=20=EC=95=84=EB=8B=8C=20=EB=AA=A8=EB=93=88=EC=95=A0?= =?UTF-8?q?=EC=84=9C=20=EB=A7=8C=EB=93=A4=EB=8F=84=EB=A1=9D=20=EC=88=98?= =?UTF-8?q?=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../src/controller/accessTokenDetector.ts | 48 ++++++++++++++----- packages/backend/src/index.ts | 4 ++ 2 files changed, 40 insertions(+), 12 deletions(-) diff --git a/packages/backend/src/controller/accessTokenDetector.ts b/packages/backend/src/controller/accessTokenDetector.ts index 22be16e..8093a54 100644 --- a/packages/backend/src/controller/accessTokenDetector.ts +++ b/packages/backend/src/controller/accessTokenDetector.ts @@ -1,22 +1,46 @@ import type { Request, Response } from "caido:utils"; +import type { SDK, DefineAPI } from "caido:plugin"; // 토큰 누출 검사 결과를 담는 구조 export interface TokenLeakResult { - found: boolean; // 토큰이 발견되었는지 여부 (true/false) - location: 'url' | 'body' | 'header'; // 토큰이 발견된 위치 (url, body, header 중 하나) - title: string; // 경고 제목 - description: string; // 상세 설명 - value?: string; // 실제 발견된 값 (선택적) + found: boolean; // 토큰이 발견되었는지 여부 (true/false) + location: 'url' | 'body' | 'header'; // 토큰이 발견된 위치 (url, body, header 중 하나) + title: string; // 경고 제목 + description: string; // 상세 설명 + value?: string; // 실제 발견된 값 (선택적) } // 액세스 토큰 누출 검사 클래스 export class AccessTokenLeakController { - - /** - * @param request - 검사할 HTTP 요청 객체 - * @returns 토큰이 발견되면 결과 객체, 없으면 null - */ - async testReq(request: Request): Promise { + async testReq(sdk: SDK>, request: Request): Promise { + const result = await this._scanRequest(request); + if (result) { + await sdk.findings.create({ + title: result.title, + description: result.description, + request, + reporter: "", + }); + } + } + + async testResp(sdk: SDK>, response: Response, request: Request): Promise { + const result = await this._scanResponse(response); + if (result) { + await sdk.findings.create({ + title: result.title, + description: result.description, + request, + reporter: "", + }); + } + } + + /** + * @param request - 검사할 HTTP 요청 객체 + * @returns 토큰이 발견되면 결과 객체, 없으면 null + */ + async _scanRequest(request: Request): Promise { // === 1. URL에서 토큰 검사 === const url = request.getUrl(); @@ -60,7 +84,7 @@ export class AccessTokenLeakController { * @param response - 검사할 HTTP 응답 객체 * @returns 토큰이 발견되면 결과 객체, 없으면 null */ - async testResp(response: Response): Promise { + async _scanResponse(response: Response): Promise { // === 1. Location 헤더에서 토큰 검사 === const locationHeader = response.getHeader("Location"); diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts index a24d2c7..9cf32b2 100644 --- a/packages/backend/src/index.ts +++ b/packages/backend/src/index.ts @@ -4,6 +4,7 @@ import type { Request, Response } from "caido:utils"; // import { AuthZCodeGrantController } from "./controller/authZCodeGrant"; import { CsrfCheck } from "./controller/csrfCheck"; import { PKCECheck } from "./controller/PKCECheck"; +import { AccessTokenLeakController } from "./controller/accessTokenDetector"; export type API = DefineAPI<{}>; @@ -11,6 +12,7 @@ const csrfCheck = new CsrfCheck(); // const implicitGrantController = new ImplicitGrantController(); // const authZCodeGrantController = new AuthZCodeGrantController(); const pkceCheckController = new PKCECheck(); +const tokenCheck = new AccessTokenLeakController(); export function init(sdk: SDK) { // sdk.events.onInterceptRequest(async (sdk, req: Request) => { @@ -30,6 +32,8 @@ export function init(sdk: SDK) { async (sdk: SDK, {}>, req: Request, resp: Response) => { await csrfCheck.checker(sdk, req, resp); await pkceCheckController.test(sdk, req); + await tokenCheck.testReq(sdk, req); + await tokenCheck.testResp(sdk, resp, req); // sdk.events.onInterceptRequest(async (sdk, req: Request) => { // const result = // authZCodeGrantController.testReq(req) || From 907fcd81208c07990f8a2b371abcda1814345d68 Mon Sep 17 00:00:00 2001 From: imnyang Date: Sat, 31 May 2025 15:02:27 +0900 Subject: [PATCH 20/20] Remove pkce --- .gitignore | 3 +- dist/plugin_package.zip | Bin 15658 -> 0 bytes playground/pkce/.gitignore | 34 -------------------- playground/pkce/README.md | 15 --------- playground/pkce/bun.lock | 25 -------------- playground/pkce/package.json | 10 ------ playground/pkce/src/PKCEDowngradeExpress.js | 31 ------------------ playground/pkce/tsconfig.json | 29 ----------------- 8 files changed, 2 insertions(+), 145 deletions(-) delete mode 100644 dist/plugin_package.zip delete mode 100644 playground/pkce/.gitignore delete mode 100644 playground/pkce/README.md delete mode 100644 playground/pkce/bun.lock delete mode 100644 playground/pkce/package.json delete mode 100644 playground/pkce/src/PKCEDowngradeExpress.js delete mode 100644 playground/pkce/tsconfig.json diff --git a/.gitignore b/.gitignore index 648628f..0d4515a 100644 --- a/.gitignore +++ b/.gitignore @@ -220,5 +220,6 @@ dist/* packages/frontend/dist packages/backend/dist #!dist/*.zip +dist/plugin_package.zip -# End of https://www.toptal.com/developers/gitignore/api/node,macos,windows,linux \ No newline at end of file +# End of https://www.toptal.com/developers/gitignore/api/node,macos,windows,linux diff --git a/dist/plugin_package.zip b/dist/plugin_package.zip deleted file mode 100644 index 28184677ccc0929e907d8d2e3ba3431c8285501f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 15658 zcmWIWW@h1H0D)_w`=dZK40A9rFeD`=XQ$?+=tES2M9@_UAgRjCOG&NJ%PQ8_S13qK z&Q45EE!KybP+XL(Us{rxQ>>p+Qc|E-Qp{DBSfr4dS6q^qmz=6#tB_ZklVc4Q^e8DQ z2n8usuvJLTNh~f_sOC~o(AU!9QczIPQh3w7@zsuow=G)~-pt+crfbRDmMw3(mb_lN zN8wHL+&3*7-%efmy1V0b_Yys@dVMYhh2;Fa;*z4$Ccs*sxo4r$BPg$w(c6N)x zo3@_UYj(VuH{tcdISQ{gH@uxW6ihsQcJ<1Ah9Sh zSD`F1r!-YT7h%%dsWV<}UVz=K1qu-J-%Q^EH3Z_wVuW^u*Bkl~nxU?EJz)--PEgRL zq$cO5q&nuM_~e(T7HNQ80t>E^qDp9B!UGPXJT%DDIX|}`KQA?}1gb@^Bp+;ob7FC- zh9)HNY88?bOOi9t%>dhhRXvviI4t5&?8I02ixKymPG@^eFjJT*#- zGIc=V0rO62QKo{eLTOPZwqy$lx9rqPY?8=%2ogu7MLGUSS)dXzwOk=I$OmK@+{;iW zLe%ILrzRF9XMkN+te2izqLH0i2~`TqTNT2Rsi`45Ek^%cN=L@8z$ z?|CzA%bVpb3UBuBdA)26qHNG81cis@o9PqYw9Em8!kg(66y8qV^16E`v?PP(zt6%blp zZI}d3G71imID)4)n6uTAZH>`$1lap;W?_aj*eFoyD@HD?AV~q7`g9;}fE5LhKq5C0 zf>VKlEyPGFq*8Do73&p4$}gBxLFF&J$bu><$qxqC$B+gD$!Qo@afMtMfKzwV+BXa4 zXr!d(q?V*=LQ^?7j7d-G4q&H4vO9f}CD`$Ar{YVNXld>ZSPP`>(FkqRK=K;i#8#A= zn_rd+t~kI|5K?-hPC_HGv;&89u^uGakg7t6Z(*e%mNcZV0BulVum2E@F=&;SmzbN1 zQRltcv|8cyrj9qucfeY2#MFY&796;?0W~^{3-a@dQ$a;F)JYne3ZN1aR*r%@3Xt|L zBtb&c7syFqLm)NYu05}twjft`kQOSWY*Ns8Go!;wK`AFcIk6-&KTkM3r6IM1vq8;Za8ZV>4UBLEQj-gS3L1!tf?B*lHxhL8@S_Q+VN;lbV-alA&Oy zV4$F;1}Si(4Pq7S5lky^^8*qJAR{o^#0toc0$ZwwWGd7o1q@?AsS9KtxStGnm!d7C zqmJxv1qI|bELab$8x83up!5b|MnPLB5aqDODyW|i5do2q?!jG`_I!FHw(ACMIFCT(1k=cs1$(oLf_2Yq3~+c-Z!&0 zC`5xD6srJfHosmt2i8-Kjzv=SYWt4YJq;jdziC?YX4Xnf8z3%3lxa}6g6u@Jb0JlN z0@mgiD7nCgD-eYmxaSKp1saTy0!RnaLEnPtQYgIMu;I=0Eg&~TRl>Tyuy!3NOM~JW zRENR>e*x5)&>)4CYmTKQ8Tmz-Rq(1P2qm zY4>WwBn1sfuq(WtF#*)^fbgPYag~y~3U8J-yjd_6RG&gT0}6mQ(_3HnZg?|y%iFFU zAQ?ztg6da@8U>h#q0KmmQ?V45u=WwO+Y1Y8$e@%Su|*|VonK-uc;qcHHx*lH2`NTj`DVdXXs*+EJ$VUeECAXvfQ|q_5;eFny!0i_x%Tx0=tu-)=ozhZhwu>A0%F0OH!}$r4Uk4RG)JN~qu^eHr4?8} zl2|sBz(UAY0X1QPk{gmG_Ta`FTmUj~mj_Pad8jE|6O@rqbfd~c^B1JRNz2SBNi71m z{-{*kD8hWCmzkHGQ<{=m4C)=AIsvJKQc!?70cVjzTnPbfhrmpOWU*RnE-qXXB+2=C zB}Mr;IjKeZ$;Cx!&Kar6*|4b+(6k9`RwOUATme2y0_qHd=2DztI#8xfGK>8aOG`3B zi!wEeQVUB{i%Vds0}|S>p#Z2PsOJIh(P?NZ)YK>_DS;df8PNr+M1-JHa!zJyUP*jr zimj3+sC5eI{vjzSN`>@h;!7$EQbCGpY9Re!BsJ+piFqaX6cnYVWEQ0+m&BJAW#TZS zI5{7u`NbuPB_O+zq8Az~B}JvF5YK^%J$Q+jmY7ov76*w!11|{bh9IbiG+;hM4N8z* zrJ$++CJhQq=lm4-d$MU(A0rSB6@LP z0i=op>Kr>;1!Dtn_W>$kqhJEzqd7!PO+f=y2q~UWBD-XzI&WNt4{f6AZG$GY^uVpcxD`$$;||Xz~M+H9;{9Q4Nhp zNQwbPTq-z8pr;nFVx++rkZ+Vg{duq!C8#OjW&~ISYzWK=pp*rk5P+w7SjP%2i-591 zGN>#9d&sc_mJfWO0|<~b3oBoAKocn7VGNi>VEZ+|(=pH-g;E@;sX-=sGK<0HV+0sN z9$b{+&W)JyWPqH*A%TfI$RU9T(E(ALUzC}inU|OYb{Cr8r2fgBk^(@dr|E z&&@2(1y3_4rIwVZrsgR?bD~0GUJBeHs1_GNRsn!h56CH?`no8yEU_e2A+fkJFIfSR z8-h|xi^1)CeSHN`5P+*#D}^9Ph6aTsSOVe=SjGX#L&|i}h@-xOrja70o0&>y!Fbj>*S$YhFa_q$kI^zQBA~l{r`pobA9YNG6AvLwptoYgJHyXoDp`G!KB= zdGM5~04v5|VS(-hX!e1YO{kR@R1nl81t%j|0OsX8=jUf}Q2AVp2Fl>(Zp;6YG}#VWKg z!{2IyT7=|6@?$(NwVdSW&Py#vb1%_x49d8W)B?2?G~x?&0=66#4NE4VoUH`W10Gic zm;6Pb(lLclsjs7unU|6YnvBRxS4dPS$OlbDWG3b)!1JXNJZ=;ez*Ph|gyFdqC3hp| zXN8p1lGNmq)D(y-K^l+>@YEuW;*@Mqdj(u-gBXxf8RAg|1@MqQY&lIr0;FjG3L!it zm;$VL1BV5AV+Lk2sHy<1eo@f2RZxO^(+XZsf=gRO6$smk$`zagAT=-%7J;f|18iPP&{0sSCTxISR(@ul2B_VtSqlwih*v>j4O!2G zFddT9i&L`o(m=^3FTGeVxhOTUBvk{H$3e+ZL7^nGBq!BMK?&50RwygY$pa@Kh+Il) zadJ^+0chsSN+BUQ*k89OH7BtoH3bpe#qe|kO1iKxvEt%VsfLzMp#1EcT9T2UqM=!< zfFc}Plmim80*iv;xHbWldLfoWwId4@Y)3Xrl0(lD>(B69E` zz}wjsoCH9F2bsAb6BVjqZIa-E)MSNPg|wplTm_}%#LSd@EAYZhCCKVaxL%ZD1W2wa zNi8mcXBk+GKq{tOa9}9df?8L|frH31P!*uGqU7!xq6E{gpa6c)UY=yLz1~iKYS%Zahg$=}5P^@MarKWhNR)YHf(TK4TP@0CNA8?l#BmnAG z#wTYa=71*RQZYs1AwdOelY%mVBC-{Fsb#4}l^UQyEbwR>$}+HwMDXYqa;KHJ@C7wl zL7q?m1wL|KfVSPq2=3CN97JG)^93Y1Kte6E*uNk(&(lT0RsqEapoMHo;7+`frajUa zM1DbPUS^6CcwnluCM4X|fclh)m9U0GszM@2S8{${T4s7_5qRcL53|^{0u>zym%z$eD+ML6 zGr$E+Y7u(Ti@Q((#WW-`z$wJmRzayCCowaR69gqSB?zt3jO@v+$qApc}*HFnBso;6rqSQiAO$#np^@>Xpi%N>aGfOfw zlt2T@#Y&(_OehnSS3!c%W+b}hq2OXVL8ZDFY;>)azCO4`12Wwszqmw0v(^eO5RhL4 z54I$)VRi32?1YvlaZI!)&0{&Q=Nu3fc;#MLE!tn6PdaSPDr& z=tnpu6mAmoDiufw6oXnqwhExx6j0@tT3ixbkeaN4O|yamNHJ)QqEmiKC8)g&3LG#S zu^t^%Lctc=!)C=xQ?X5pL!%Db9o9gutRanV)QLCnDi5U5O;B4B<{pR{ptb;XWdKrR z8XATm z4y0%S^Wlz!*%y*i46_Wx#54w+a$z>*gHkcv3{Xc8G+uy6OV9)XA6WpULr@zmwYUVd zR5dR}17t7U08mYU)c`$M>km=wL;95|`MHUid7vy`keUoiOpx3FX&`}O4CE$o%iR`| z_R>>Jz&?Q62{ET2u_Ob@6i5)FngSm3HbPPa4nSDD7iL!`XuTbNKY*O+nS!nnR3?H9 zPt8lg2tT;@L0XaL!a%ly!W5JfVeS5eAlE1EuvLN@sYOMINI_0SVB0kkz{Vk54<7$eNK4GjNlig& zZ-CMmbU8W5KzMS2Bo<_2@%2g3g9YO)c_qbq z`FWmsC84UZLqh~ffpuM;-f0?89_x9Wj|8#1(pq6bzc zLDXY$x*lwJ0iq3>dqL5mY0Xv3m0AHxFW@N=kUv0UApzd(9CEqYuQRO}7(f{JHdS5* z28P_kyv(%J;u5{A;`}_2>yDdG66ZI>6v*7pvC}_R?w_Xevy(D*!>C$a67_1f)#=j(^3^e zixomr6LUeGk6KU;R?5lD%Pt0KfN%@I#)1SuL#_%?a}*Syo`CMN1-l4Twkl<3=7D{O zAp!Fph6HH;Uu8jlW?l)%8&GL|NQ%rVMwnbwnpcvUn+j5tl~|St8BGJZ8HNE)-y0Lq}qUZ0K-0?rvLx| diff --git a/playground/pkce/.gitignore b/playground/pkce/.gitignore deleted file mode 100644 index a14702c..0000000 --- a/playground/pkce/.gitignore +++ /dev/null @@ -1,34 +0,0 @@ -# dependencies (bun install) -node_modules - -# output -out -dist -*.tgz - -# code coverage -coverage -*.lcov - -# logs -logs -_.log -report.[0-9]_.[0-9]_.[0-9]_.[0-9]_.json - -# dotenv environment variable files -.env -.env.development.local -.env.test.local -.env.production.local -.env.local - -# caches -.eslintcache -.cache -*.tsbuildinfo - -# IntelliJ based IDEs -.idea - -# Finder (MacOS) folder config -.DS_Store diff --git a/playground/pkce/README.md b/playground/pkce/README.md deleted file mode 100644 index 4a3109f..0000000 --- a/playground/pkce/README.md +++ /dev/null @@ -1,15 +0,0 @@ -# playground - -To install dependencies: - -```bash -bun install -``` - -To run: - -```bash -bun run -``` - -This project was created using `bun init` in bun v1.2.14. [Bun](https://bun.sh) is a fast all-in-one JavaScript runtime. diff --git a/playground/pkce/bun.lock b/playground/pkce/bun.lock deleted file mode 100644 index 0a70737..0000000 --- a/playground/pkce/bun.lock +++ /dev/null @@ -1,25 +0,0 @@ -{ - "lockfileVersion": 1, - "workspaces": { - "": { - "name": "playground", - "devDependencies": { - "@types/bun": "latest", - }, - "peerDependencies": { - "typescript": "^5", - }, - }, - }, - "packages": { - "@types/bun": ["@types/bun@1.2.14", "", { "dependencies": { "bun-types": "1.2.14" } }, "sha512-VsFZKs8oKHzI7zwvECiAJ5oSorWndIWEVhfbYqZd4HI/45kzW7PN2Rr5biAzvGvRuNmYLSANY+H59ubHq8xw7Q=="], - - "@types/node": ["@types/node@22.15.21", "", { "dependencies": { "undici-types": "~6.21.0" } }, "sha512-EV/37Td6c+MgKAbkcLG6vqZ2zEYHD7bvSrzqqs2RIhbA6w3x+Dqz8MZM3sP6kGTeLrdoOgKZe+Xja7tUB2DNkQ=="], - - "bun-types": ["bun-types@1.2.14", "", { "dependencies": { "@types/node": "*" } }, "sha512-Kuh4Ub28ucMRWeiUUWMHsT9Wcbr4H3kLIO72RZZElSDxSu7vpetRvxIUDUaW6QtaIeixIpm7OXtNnZPf82EzwA=="], - - "typescript": ["typescript@5.8.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ=="], - - "undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="], - } -} diff --git a/playground/pkce/package.json b/playground/pkce/package.json deleted file mode 100644 index 0bbbfb8..0000000 --- a/playground/pkce/package.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "name": "playground", - "private": true, - "devDependencies": { - "@types/bun": "latest" - }, - "peerDependencies": { - "typescript": "^5" - } -} diff --git a/playground/pkce/src/PKCEDowngradeExpress.js b/playground/pkce/src/PKCEDowngradeExpress.js deleted file mode 100644 index 61cf737..0000000 --- a/playground/pkce/src/PKCEDowngradeExpress.js +++ /dev/null @@ -1,31 +0,0 @@ -const express = require("express"); -const app = express(); - -app.get("/auth", (req, res) => { - const { - client_id, - response_type, - code_challenge, - code_challenge_method, - scope - } = req.query; - - console.log("Incoming request:", req.query); - - if (!client_id || response_type !== "code") { - return res.status(400).send("Missing required parameters"); - } - - // Simulate issuing an authorization code - const code = "dummy-auth-code"; - - // Simulate PKCE check (normally you'd validate here) - // We deliberately allow the downgrade here to simulate the vulnerability - const responseBody = `Authorization successful. code=${code}`; - return res.status(200).send(responseBody); -}); - -const PORT = 5050; -app.listen(PORT, () => { - console.log(`Test PKCE server running on http://localhost:${PORT}`); -}); diff --git a/playground/pkce/tsconfig.json b/playground/pkce/tsconfig.json deleted file mode 100644 index bfa0fea..0000000 --- a/playground/pkce/tsconfig.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "compilerOptions": { - // Environment setup & latest features - "lib": ["ESNext"], - "target": "ESNext", - "module": "Preserve", - "moduleDetection": "force", - "jsx": "react-jsx", - "allowJs": true, - - // Bundler mode - "moduleResolution": "bundler", - "allowImportingTsExtensions": true, - "verbatimModuleSyntax": true, - "noEmit": true, - - // Best practices - "strict": true, - "skipLibCheck": true, - "noFallthroughCasesInSwitch": true, - "noUncheckedIndexedAccess": true, - "noImplicitOverride": true, - - // Some stricter flags (disabled by default) - "noUnusedLocals": false, - "noUnusedParameters": false, - "noPropertyAccessFromIndexSignature": false - } -}