REFACTOR : findings를index가 아닌 모듈애서 만들도록 수정

2025-05-31 12:37:54 +09:00 · 2025-05-31 12:37:54 +09:00 · f1b5ef5f9b
commit f1b5ef5f9b
parent 7b704cacf4
2 changed files with 40 additions and 12 deletions
--- a/packages/backend/src/controller/accessTokenDetector.ts
+++ b/packages/backend/src/controller/accessTokenDetector.ts
@ -1,4 +1,5 @@
 import type { Request, Response } from "caido:utils";
+import type { SDK, DefineAPI } from "caido:plugin";

 // 토큰 누출 검사 결과를 담는 구조
 export interface TokenLeakResult {
@ -11,12 +12,35 @@ export interface TokenLeakResult {

 // 액세스 토큰 누출 검사 클래스
 export class AccessTokenLeakController {
+  async testReq(sdk: SDK<DefineAPI<{}>>, request: Request): Promise<void> {
+    const result = await this._scanRequest(request);
+    if (result) {
+      await sdk.findings.create({
+        title: result.title,
+        description: result.description,
+        request,
+        reporter: "",
+      });
+    }
+  }
+
+  async testResp(sdk: SDK<DefineAPI<{}>>, response: Response, request: Request): Promise<void> {
+    const result = await this._scanResponse(response);
+    if (result) {
+      await sdk.findings.create({
+        title: result.title,
+        description: result.description,
+        request,
+        reporter: "",
+      });
+    }
+  }

  /**
   * @param request - 검사할 HTTP 요청 객체
   * @returns 토큰이 발견되면 결과 객체, 없으면 null
   */
-    async testReq(request: Request): Promise<TokenLeakResult | null> {
+  async _scanRequest(request: Request): Promise<TokenLeakResult | null> {
    
    // === 1. URL에서 토큰 검사 ===
    const url = request.getUrl();
@ -60,7 +84,7 @@ export class AccessTokenLeakController {
   * @param response - 검사할 HTTP 응답 객체
   * @returns 토큰이 발견되면 결과 객체, 없으면 null
   */
-  async testResp(response: Response): Promise<TokenLeakResult | null> {
+  async _scanResponse(response: Response): Promise<TokenLeakResult | null> {
    
    // === 1. Location 헤더에서 토큰 검사 ===
    const locationHeader = response.getHeader("Location");
--- a/packages/backend/src/index.ts
+++ b/packages/backend/src/index.ts
@ -4,6 +4,7 @@ import type { Request, Response } from "caido:utils";
 // import { AuthZCodeGrantController } from "./controller/authZCodeGrant";
 import { CsrfCheck } from "./controller/csrfCheck";
 import { PKCECheck } from "./controller/PKCECheck";
+import { AccessTokenLeakController } from "./controller/accessTokenDetector";

 export type API = DefineAPI<{}>;

@ -11,6 +12,7 @@ const csrfCheck = new CsrfCheck();
 // const implicitGrantController = new ImplicitGrantController();
 // const authZCodeGrantController = new AuthZCodeGrantController();
 const pkceCheckController = new PKCECheck();
+const tokenCheck = new AccessTokenLeakController();

 export function init(sdk: SDK<API>) {
  // sdk.events.onInterceptRequest(async (sdk, req: Request) => {
@ -30,6 +32,8 @@ export function init(sdk: SDK<API>) {
    async (sdk: SDK<DefineAPI<{}>, {}>, req: Request, resp: Response) => {
      await csrfCheck.checker(sdk, req, resp);
      await pkceCheckController.test(sdk, req);
+      await tokenCheck.testReq(sdk, req);
+      await tokenCheck.testResp(sdk, resp, req);
      // sdk.events.onInterceptRequest(async (sdk, req: Request) => {
      //   const result =
      //     authZCodeGrantController.testReq(req) ||