Merge pull request #14 from whs-authz-authn-project/feature/csrf

수진, 민곤 확인 완료

packages/backend/src/controller/csrfCheck.ts

@@ -7,13 +7,13 @@ const httpUtils = new HttpUtils();
 export class CsrfCheck {
   private isTargetUri(uri: string): boolean {
     if (
-      uri.includes("client_id=") &&
+      httpUtils.getQueryParamFromURI(uri, "client_id") !== null &&
-      (uri.includes("response_type=") ||
+      (httpUtils.getQueryParamFromURI(uri, "response_type") !== null ||
-        uri.includes("grant_type=") ||
+        httpUtils.getQueryParamFromURI(uri, "grant_type") !== null ||
-        uri.includes("redirect_uri=") ||
+        httpUtils.getQueryParamFromURI(uri, "redirect_uri") !== null ||
-        uri.includes("scope=") ||
+        httpUtils.getQueryParamFromURI(uri, "scope") !== null ||
-        uri.includes("state=") ||
+        httpUtils.getQueryParamFromURI(uri, "state") !== null ||
-        uri.includes("nonce="))
+        httpUtils.getQueryParamFromURI(uri, "nonce") !== null)
     ) {
       return true;
     }
@@ -151,15 +151,25 @@ export class CsrfCheck {
     let result = ``;
 
     // 쿼리에 state 파라미터가 없으면 CSRF 위험
-    if (this.isOauthUri(request) && !this.isStateInQuery(request)) {
+    try {
-      result += "CSRF risk: missing state parameter"; // CSRF risk: missing state parameter
+      if (this.isOauthUri(request) && !this.isStateInQuery(request)) {
+        result += "CSRF risk: missing state parameter"; // CSRF risk: missing state parameter
+      }
+    } catch (error) {
+      sdk.console.error(`Error checking state in query: ${error}`);
     }
 
     // location 헤더에 state 파라미터가 없거나, 요청에서 보낸 state와 다르면 CSRF 위험
-    const stateAtResponseLocationHeaderCheck =
+    try {
-      this.checkStateAtResponseLocationHeader(request, response);
+      const stateAtResponseLocationHeaderCheck =
-    if (stateAtResponseLocationHeaderCheck !== 0) {
+        this.checkStateAtResponseLocationHeader(request, response);
-      result += `, ${stateAtResponseLocationHeaderCheck.join(", ")}`;
+      if (stateAtResponseLocationHeaderCheck !== 0) {
+        result += `, ${stateAtResponseLocationHeaderCheck.join(", ")}`;
+      }
+    } catch (error) {
+      sdk.console.error(
+        `Error checking state in response location header: ${error}`
+      );
     }
 
     // // 처음으로 state를 발급한 요청에서 state 파라미터를 바꿔서 보내기
@@ -168,13 +178,19 @@ export class CsrfCheck {
     //   result += `, ${reusedStateCheck.join(", ")}`;
     // }
 
-    if (result) {
+    result.replace(/^\s*,\s*|\s*$/, ""); // Remove leading/trailing commas
-      await sdk.findings.create({
+    try {
-        title: "csrf vuln",
+      if (result) {
-        description: `SSO-related parameters detected in response:\n\n${request.getMethod()} ${request.getUrl()} : ${result}`,
+        await sdk.findings.create({
-        request,
+          title: "csrf vuln",
-        reporter: "csrf reporter",
+          description: `SSO-related parameters detected in response:\n\n${request.getMethod()} ${request.getUrl()} : ${result}`,
-      });
+          request,
+          reporter: "csrf reporter",
+        });
+        sdk.console.log("qq");
+      }
+    } catch (error) {
+      sdk.console.error(`Error creating finding: ${error}`);
     }
   }
 }

packages/backend/src/index.ts

@@ -6,17 +6,15 @@ import { CsrfCheck } from "./controller/csrfCheck";
 import { PKCECheck } from "./controller/PKCECheck";
 import { AccessTokenLeakController } from "./controller/accessTokenDetector";
 import { ScopeDetection } from "./controller/scopeDetection";
-import { NonceCheckController } from "./controller/nonceCheck";
+// import { NonceCheckController } from "./controller/nonceCheck";
 
 export type API = DefineAPI<{}>;
 
 const csrfCheck = new CsrfCheck();
-// const implicitGrantController = new ImplicitGrantController();
-// const authZCodeGrantController = new AuthZCodeGrantController();
 const pkceCheckController = new PKCECheck();
 const tokenCheck = new AccessTokenLeakController();
 const ScopeDetectionController = new ScopeDetection();
-const nonceCheckController = new NonceCheckController();
+// const nonceCheckController = new NonceCheckController();
 
 export function init(sdk: SDK<API>) {
   sdk.events.onInterceptResponse(async (sdk, req: Request, res: Response) => {
@@ -26,14 +24,14 @@ export function init(sdk: SDK<API>) {
     await tokenCheck.testResp(sdk, res, req);
     await ScopeDetectionController.scan(sdk, req.getUrl());
 
-    if (NonceCheckController.isOidcFlow(req, res)) {
+    // if (NonceCheckController.isOidcFlow(req, res)) {
-      await sdk.findings.create({
+    //   await sdk.findings.create({
-        title: "OIDC Flow Detected",
+    //     title: "OIDC Flow Detected",
-        description: "The request appears to be part of an OIDC flow.",
+    //     description: "The request appears to be part of an OIDC flow.",
-        request: req,
+    //     request: req,
-        reporter: "",
+    //     reporter: "",
-      });
+    //   });
-    }
+    // }
   });
 
   /*

packages/backend/src/utils/http.ts

@@ -48,8 +48,8 @@ export class HttpUtils {
   }
 
   getQueryParamFromURI(uri: string, key: string): string | null {
-    uri = uri.toLowerCase();
+    uri = this.decodeAndLower(uri);
-    key = key.toLowerCase();
+    key = this.decodeAndLower(key);
     try {
       const urlObj = new URL(uri);
       return urlObj.searchParams.get(key);
@@ -66,8 +66,8 @@ export class HttpUtils {
    * @returns      - 해당 파라미터 값, 없으면 null
    */
   getQueryParam(query: string, key: string): string | null {
-    query = query.toLowerCase();
+    query = this.decodeAndLower(query);
-    key = key.toLowerCase();
+    key = this.decodeAndLower(key);
 
     const params = new URLSearchParams(query);
     return params.get(key);
@@ -82,9 +82,9 @@ export class HttpUtils {
    * @returns      - "a=1&b=2&c=3..." 형태의 새로운 쿼리 문자열
    */
   setQueryParam(query: string, key: string, value: string): string {
-    query = query.toLowerCase();
+    query = this.decodeAndLower(query);
-    key = key.toLowerCase();
+    key = this.decodeAndLower(key);
-    value = value.toLowerCase();
+    value = this.decodeAndLower(value);
 
     const params = new URLSearchParams(query);
     params.set(key, value);
@@ -99,8 +99,8 @@ export class HttpUtils {
    * @returns      - 삭제된 상태의 새로운 쿼리 문자열
    */
   removeQueryParam(query: string, key: string): string {
-    query = query.toLowerCase();
+    query = this.decodeAndLower(query);
-    key = key.toLowerCase();
+    key = this.decodeAndLower(key);
 
     const params = new URLSearchParams(query);
     params.delete(key);

pnpm-lock.yaml

@@ -7,10 +7,17 @@ settings:
 importers:
 
   .:
+    dependencies:
+      '@types/jsonwebtoken':
+        specifier: ^9.0.9
+        version: 9.0.9
+      jsonwebtoken:
+        specifier: ^9.0.2
+        version: 9.0.2
     devDependencies:
       '@caido-community/dev':
         specifier: ^0.1.3
-        version: 0.1.5(postcss@8.5.3)(typescript@5.5.4)
+        version: 0.1.5(@types/node@22.15.29)(postcss@8.5.3)(typescript@5.5.4)
       '@caido/sdk-backend':
         specifier: ^0.48.1
         version: 0.48.1
@@ -328,6 +335,15 @@ packages:
   '@types/estree@1.0.7':
     resolution: {integrity: sha512-w28IoSUCJpidD/TGviZwwMJckNESJZXFu7NBZ5YJ4mEUnNraUn9Pm8HSZm/jDF1pDWYKspWE7oVphigUPRakIQ==}
 
+  '@types/jsonwebtoken@9.0.9':
+    resolution: {integrity: sha512-uoe+GxEuHbvy12OUQct2X9JenKM3qAscquYymuQN4fMWG9DBQtykrQEFcAbVACF7qaLw9BePSodUL0kquqBJpQ==}
+
+  '@types/ms@2.1.0':
+    resolution: {integrity: sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA==}
+
+  '@types/node@22.15.29':
+    resolution: {integrity: sha512-LNdjOkUDlU1RZb8e1kOIUpN1qQUlzGkEtbVNo53vbrwDg5om6oduhm4SiUaPW5ASTXhAiP0jInWG8Qx9fVlOeQ==}
+
   accepts@2.0.0:
     resolution: {integrity: sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng==}
     engines: {node: '>= 0.6'}
@@ -364,6 +380,9 @@ packages:
   brace-expansion@2.0.1:
     resolution: {integrity: sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==}
 
+  buffer-equal-constant-time@1.0.1:
+    resolution: {integrity: sha512-zRpUiDwd/xk6ADqPMATG8vc9VPrkck7T07OIx0gnjmJAnHnTVXNQG3vfvWNuiZIkwu9KrKdA1iJKfsfTVxE6NA==}
+
   bundle-require@5.1.0:
     resolution: {integrity: sha512-3WrrOuZiyaaZPWiEt4G3+IffISVC9HYlWueJEBWED4ZH4aIAC2PnkdnuRrR94M+w6yGWn4AglWtJtBI8YqvgoA==}
     engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
@@ -465,6 +484,9 @@ packages:
   eastasianwidth@0.2.0:
     resolution: {integrity: sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==}
 
+  ecdsa-sig-formatter@1.0.11:
+    resolution: {integrity: sha512-nagl3RYrbNv6kQkeJIpt6NJZy8twLB/2vtz6yN9Z4vRKHN4/QZJIEbqohALSgwKdnksuY3k5Addp5lg8sVoVcQ==}
+
   ee-first@1.1.1:
     resolution: {integrity: sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==}
 
@@ -622,9 +644,19 @@ packages:
   json-schema-traverse@1.0.0:
     resolution: {integrity: sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug==}
 
+  jsonwebtoken@9.0.2:
+    resolution: {integrity: sha512-PRp66vJ865SSqOlgqS8hujT5U4AOgMfhrwYIuIhfKaoSCZcirrmASQr8CX7cUg+RMih+hgznrjp99o+W4pJLHQ==}
+    engines: {node: '>=12', npm: '>=6'}
+
   jszip@3.10.1:
     resolution: {integrity: sha512-xXDvecyTpGLrqFrvkrUSoxxfJI5AH7U8zxxtVclpsUtMCq4JQ290LY8AW5c7Ggnr/Y/oK+bQMbqK2qmtk3pN4g==}
 
+  jwa@1.4.2:
+    resolution: {integrity: sha512-eeH5JO+21J78qMvTIDdBXidBd6nG2kZjg5Ohz/1fpa28Z4CcsWUzJ1ZZyFq/3z3N17aZy+ZuBoHljASbL1WfOw==}
+
+  jws@3.2.2:
+    resolution: {integrity: sha512-YHlZCB6lMTllWDtSPHz/ZXTsi8S00usEV6v1tjq8tOUZzw7DpSDWVXjXDre6ed1w/pd495ODpHZYSdkRTsa0HA==}
+
   lie@3.3.0:
     resolution: {integrity: sha512-UaiMJzeWRlEujzAuw5LokY1L5ecNQYZKfmyZ9L7wDHb/p5etKaxXhohBcrw0EYby+G/NA52vRSN4N39dxHAIwQ==}
 
@@ -639,6 +671,27 @@ packages:
     resolution: {integrity: sha512-IXO6OCs9yg8tMKzfPZ1YmheJbZCiEsnBdcB03l0OcfK9prKnJb96siuHCr5Fl37/yo9DnKU+TLpxzTUspw9shg==}
     engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
 
+  lodash.includes@4.3.0:
+    resolution: {integrity: sha512-W3Bx6mdkRTGtlJISOvVD/lbqjTlPPUDTMnlXZFnVwi9NKJ6tiAk6LVdlhZMm17VZisqhKcgzpO5Wz91PCt5b0w==}
+
+  lodash.isboolean@3.0.3:
+    resolution: {integrity: sha512-Bz5mupy2SVbPHURB98VAcw+aHh4vRV5IPNhILUCsOzRmsTmSQ17jIuqopAentWoehktxGd9e/hbIXq980/1QJg==}
+
+  lodash.isinteger@4.0.4:
+    resolution: {integrity: sha512-DBwtEWN2caHQ9/imiNeEA5ys1JoRtRfY3d7V9wkqtbycnAmTvRRmbHKDV4a0EYc678/dia0jrte4tjYwVBaZUA==}
+
+  lodash.isnumber@3.0.3:
+    resolution: {integrity: sha512-QYqzpfwO3/CWf3XP+Z+tkQsfaLL/EnUlXWVkIk5FUPc4sBdTehEqZONuyRt2P67PXAk+NXmTBcc97zw9t1FQrw==}
+
+  lodash.isplainobject@4.0.6:
+    resolution: {integrity: sha512-oSXzaWypCMHkPC3NvBEaPHf0KsA5mvPrOPgQWDsbg8n7orZ290M0BmC/jgRZ4vcJ6DTAhjrsSYgdsW/F+MFOBA==}
+
+  lodash.isstring@4.0.1:
+    resolution: {integrity: sha512-0wJxfxH1wgO3GrbuP+dTTk7op+6L41QCXbGINEmD+ny/G/eCqGzxyCsh7159S+mgDDcoarnBw6PC1PS5+wUGgw==}
+
+  lodash.once@4.1.1:
+    resolution: {integrity: sha512-Sb487aTOCr9drQVL8pIxOzVhafOjZN9UU54hiN8PU3uAiSV7lx1yYNpbNmex2PK6dSJoNTSJUUswT651yww3Mg==}
+
   lodash.sortby@4.7.0:
     resolution: {integrity: sha512-HDWXG8isMntAyRF5vZ7xKuEvOhT4AhlRt/3czTSjvGUxjYCBVRQY48ViDHyfYz9VIoBkW4TMGQNapx+l3RUwdA==}
 
@@ -837,6 +890,11 @@ packages:
   safer-buffer@2.1.2:
     resolution: {integrity: sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==}
 
+  semver@7.7.2:
+    resolution: {integrity: sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA==}
+    engines: {node: '>=10'}
+    hasBin: true
+
   send@1.2.0:
     resolution: {integrity: sha512-uaW0WwXKpL9blXE2o0bRhoL2EGXIrZxQ2ZQ4mgcfoBxdFmQold+qWsD2jLrfZ0trjKL6vOw0j//eAwcALFjKSw==}
     engines: {node: '>= 18'}
@@ -971,6 +1029,9 @@ packages:
     engines: {node: '>=14.17'}
     hasBin: true
 
+  undici-types@6.21.0:
+    resolution: {integrity: sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==}
+
   unpipe@1.0.0:
     resolution: {integrity: sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==}
     engines: {node: '>= 0.8'}
@@ -1065,7 +1126,7 @@ packages:
 
 snapshots:
 
-  '@caido-community/dev@0.1.5(postcss@8.5.3)(typescript@5.5.4)':
+  '@caido-community/dev@0.1.5(@types/node@22.15.29)(postcss@8.5.3)(typescript@5.5.4)':
     dependencies:
       '@caido/plugin-manifest': 0.3.0
       chalk: 5.4.1
@@ -1076,7 +1137,7 @@ snapshots:
       jiti: 2.4.2
       jszip: 3.10.1
       tsup: 8.3.5(jiti@2.4.2)(postcss@8.5.3)(typescript@5.5.4)
-      vite: 6.0.7(jiti@2.4.2)
+      vite: 6.0.7(@types/node@22.15.29)(jiti@2.4.2)
       ws: 8.18.0
       zod: 3.24.1
     transitivePeerDependencies:
@@ -1284,6 +1345,17 @@ snapshots:
 
   '@types/estree@1.0.7': {}
 
+  '@types/jsonwebtoken@9.0.9':
+    dependencies:
+      '@types/ms': 2.1.0
+      '@types/node': 22.15.29
+
+  '@types/ms@2.1.0': {}
+
+  '@types/node@22.15.29':
+    dependencies:
+      undici-types: 6.21.0
+
   accepts@2.0.0:
     dependencies:
       mime-types: 3.0.1
@@ -1328,6 +1400,8 @@ snapshots:
     dependencies:
       balanced-match: 1.0.2
 
+  buffer-equal-constant-time@1.0.1: {}
+
   bundle-require@5.1.0(esbuild@0.24.2):
     dependencies:
       esbuild: 0.24.2
@@ -1401,6 +1475,10 @@ snapshots:
 
   eastasianwidth@0.2.0: {}
 
+  ecdsa-sig-formatter@1.0.11:
+    dependencies:
+      safe-buffer: 5.2.1
+
   ee-first@1.1.1: {}
 
   emoji-regex@8.0.0: {}
@@ -1605,6 +1683,19 @@ snapshots:
 
   json-schema-traverse@1.0.0: {}
 
+  jsonwebtoken@9.0.2:
+    dependencies:
+      jws: 3.2.2
+      lodash.includes: 4.3.0
+      lodash.isboolean: 3.0.3
+      lodash.isinteger: 4.0.4
+      lodash.isnumber: 3.0.3
+      lodash.isplainobject: 4.0.6
+      lodash.isstring: 4.0.1
+      lodash.once: 4.1.1
+      ms: 2.1.3
+      semver: 7.7.2
+
   jszip@3.10.1:
     dependencies:
       lie: 3.3.0
@@ -1612,6 +1703,17 @@ snapshots:
       readable-stream: 2.3.8
       setimmediate: 1.0.5
 
+  jwa@1.4.2:
+    dependencies:
+      buffer-equal-constant-time: 1.0.1
+      ecdsa-sig-formatter: 1.0.11
+      safe-buffer: 5.2.1
+
+  jws@3.2.2:
+    dependencies:
+      jwa: 1.4.2
+      safe-buffer: 5.2.1
+
   lie@3.3.0:
     dependencies:
       immediate: 3.0.6
@@ -1622,6 +1724,20 @@ snapshots:
 
   load-tsconfig@0.2.5: {}
 
+  lodash.includes@4.3.0: {}
+
+  lodash.isboolean@3.0.3: {}
+
+  lodash.isinteger@4.0.4: {}
+
+  lodash.isnumber@3.0.3: {}
+
+  lodash.isplainobject@4.0.6: {}
+
+  lodash.isstring@4.0.1: {}
+
+  lodash.once@4.1.1: {}
+
   lodash.sortby@4.7.0: {}
 
   lru-cache@10.4.3: {}
@@ -1801,6 +1917,8 @@ snapshots:
 
   safer-buffer@2.1.2: {}
 
+  semver@7.7.2: {}
+
   send@1.2.0:
     dependencies:
       debug: 4.3.6
@@ -1968,6 +2086,8 @@ snapshots:
 
   typescript@5.5.4: {}
 
+  undici-types@6.21.0: {}
+
   unpipe@1.0.0: {}
 
   util-deprecate@1.0.2: {}
@@ -1976,12 +2096,13 @@ snapshots:
 
   vary@1.1.2: {}
 
-  vite@6.0.7(jiti@2.4.2):
+  vite@6.0.7(@types/node@22.15.29)(jiti@2.4.2):
     dependencies:
       esbuild: 0.24.2
       postcss: 8.5.3
       rollup: 4.41.0
     optionalDependencies:
+      '@types/node': 22.15.29
       fsevents: 2.3.3
       jiti: 2.4.2