NodeGoat icon indicating copy to clipboard operation
NodeGoat copied to clipboard
verified publisher icon OWASP

[Autofic] Security Patch 2025-07-15

Open seoonju opened this issue 7 months ago β€’ 0 comments

πŸ” Security Patch Summary

πŸ—‚οΈ 1. contributions.js

πŸ”Ž SAST Analysis Summary

1-1. [Vulnerability] Code Injection

  • #️⃣ Line: 32
  • πŸ›‘οΈ Severity: ERROR
  • πŸ”– CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
  • πŸ”— Reference: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval
  • πŸ”— Reference: https://nodejs.org/api/child_process.html#child_processexeccommand-options-callback
  • πŸ”— Reference: https://www.stackhawk.com/blog/nodejs-command-injection-examples-and-prevention/
  • πŸ”— Reference: https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html
  • ✍️ Message: Found data from an Express or Next web request flowing to eval. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid eval whenever possible.

1-2. [Vulnerability] Code Injection

  • #️⃣ Line: 33
  • πŸ›‘οΈ Severity: ERROR
  • πŸ”– CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
  • πŸ”— Reference: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval
  • πŸ”— Reference: https://nodejs.org/api/child_process.html#child_processexeccommand-options-callback
  • πŸ”— Reference: https://www.stackhawk.com/blog/nodejs-command-injection-examples-and-prevention/
  • πŸ”— Reference: https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html
  • ✍️ Message: Found data from an Express or Next web request flowing to eval. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid eval whenever possible.

1-3. [Vulnerability] Code Injection

  • #️⃣ Line: 34
  • πŸ›‘οΈ Severity: ERROR
  • πŸ”– CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
  • πŸ”— Reference: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval
  • πŸ”— Reference: https://nodejs.org/api/child_process.html#child_processexeccommand-options-callback
  • πŸ”— Reference: https://www.stackhawk.com/blog/nodejs-command-injection-examples-and-prevention/
  • πŸ”— Reference: https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html
  • ✍️ Message: Found data from an Express or Next web request flowing to eval. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid eval whenever possible.

πŸ€– LLM Analysis Summary

🐞 Vulnerability Description

이 μ½”λ“œμ—μ„œλŠ” eval() ν•¨μˆ˜λ₯Ό μ‚¬μš©ν•˜μ—¬ μ‚¬μš©μžκ°€ μž…λ ₯ν•œ 데이터λ₯Ό ν‰κ°€ν•˜κ³  μžˆμŠ΅λ‹ˆλ‹€. eval() ν•¨μˆ˜λŠ” λ¬Έμžμ—΄μ„ μ½”λ“œλ‘œ μ‹€ν–‰ν•˜κΈ° λ•Œλ¬Έμ—, μ‚¬μš©μžλ‘œλΆ€ν„° μž…λ ₯받은 데이터가 μ•…μ˜μ μΈ μ½”λ“œλ₯Ό 포함할 경우, 이λ₯Ό μ‹€ν–‰ν•˜κ²Œ λ˜μ–΄ λ³΄μ•ˆ 취약점이 λ°œμƒν•  수 μžˆμŠ΅λ‹ˆλ‹€.

⚠️ Potential Risks

μ‚¬μš©μžκ°€ μ•…μ˜μ μΈ μ½”λ“œλ₯Ό μž…λ ₯ν•˜μ—¬ μ„œλ²„μ—μ„œ μž„μ˜μ˜ JavaScript μ½”λ“œλ₯Ό μ‹€ν–‰ν•  수 μžˆμŠ΅λ‹ˆλ‹€. μ΄λŠ” μ‹œμŠ€ν…œ λͺ…λ Ήμ–΄ μ‹€ν–‰, 데이터 유좜, μ„œλΉ„μŠ€ κ±°λΆ€ 곡격 λ“±μ˜ μ‹¬κ°ν•œ λ³΄μ•ˆ 문제λ₯Ό μ•ΌκΈ°ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

πŸ›  Recommended Fix

eval() ν•¨μˆ˜λ₯Ό μ‚¬μš©ν•˜μ§€ μ•Šκ³ , μž…λ ₯값을 μ•ˆμ „ν•˜κ²Œ μ²˜λ¦¬ν•  수 μžˆλŠ” λ°©λ²•μœΌλ‘œ λŒ€μ²΄ν•΄μ•Ό ν•©λ‹ˆλ‹€. 이 경우, parseInt() ν•¨μˆ˜λ₯Ό μ‚¬μš©ν•˜μ—¬ λ¬Έμžμ—΄μ„ μ •μˆ˜λ‘œ λ³€ν™˜ν•¨μœΌλ‘œμ¨ λ³΄μ•ˆ 취약점을 ν•΄κ²°ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

πŸ“Ž References

parseInt() ν•¨μˆ˜λŠ” λ¬Έμžμ—΄μ„ μ •μˆ˜λ‘œ λ³€ν™˜ν•˜λ©°, λ³€ν™˜ν•  수 μ—†λŠ” 경우 NaN을 λ°˜ν™˜ν•©λ‹ˆλ‹€. 이λ₯Ό 톡해 μž…λ ₯값이 μˆ«μžμΈμ§€ 검증할 수 μžˆμŠ΅λ‹ˆλ‹€. parseInt()의 두 번째 인자둜 μ§„μˆ˜λ₯Ό λͺ…μ‹œν•˜μ§€ μ•ŠμœΌλ©΄ 기본적으둜 10μ§„μˆ˜λ‘œ ν•΄μ„ν•©λ‹ˆλ‹€. ν•„μš”μ— 따라 λͺ…μ‹œμ μœΌλ‘œ 10을 μ „λ‹¬ν•˜μ—¬ μ˜λ„λ₯Ό λͺ…ν™•νžˆ ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

πŸ—‚οΈ 2. index.js

πŸ”Ž SAST Analysis Summary

2-1. [Vulnerability] Open Redirect

  • #️⃣ Line: 72
  • πŸ›‘οΈ Severity: WARNING
  • πŸ”– CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
  • πŸ”— Reference: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
  • ✍️ Message: The application redirects to a URL specified by user-supplied input req that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website.

πŸ€– LLM Analysis Summary

🐞 Vulnerability Description

Open Redirect 취약점은 μ‚¬μš©μžκ°€ μ œκ³΅ν•œ μž…λ ₯을 톡해 μ• ν”Œλ¦¬μΌ€μ΄μ…˜μ΄ μ‹ λ’°ν•  수 μ—†λŠ” URL둜 λ¦¬λ””λ ‰μ…˜λ  수 μžˆλŠ” λ¬Έμ œμž…λ‹ˆλ‹€. 이둜 인해 μ‚¬μš©μžκ°€ μ•…μ„± μ‚¬μ΄νŠΈλ‘œ μœ λ„λ  수 μžˆμŠ΅λ‹ˆλ‹€.

⚠️ Potential Risks

κ³΅κ²©μžκ°€ μ‚¬μš©μžλ₯Ό ν”Όμ‹± μ‚¬μ΄νŠΈλ‘œ μœ λ„ν•˜μ—¬ λ―Όκ°ν•œ 정보λ₯Ό νƒˆμ·¨ν•˜κ±°λ‚˜, μ•…μ„± μ½”λ“œκ°€ ν¬ν•¨λœ μ‚¬μ΄νŠΈλ‘œ λ¦¬λ””λ ‰μ…˜ν•˜μ—¬ μ‚¬μš©μžμ˜ μ‹œμŠ€ν…œμ— ν”Όν•΄λ₯Ό 쀄 수 μžˆμŠ΅λ‹ˆλ‹€.

πŸ›  Recommended Fix

ν—ˆμš©λœ URL λͺ©λ‘(allow-list)을 μ‚¬μš©ν•˜μ—¬ λ¦¬λ””λ ‰μ…˜ν•  URL을 κ²€μ¦ν•˜κ±°λ‚˜, μ‚¬μš©μžμ—κ²Œ μ‹ λ’°ν•  수 μ—†λŠ” μ™ΈλΆ€ μ‚¬μ΄νŠΈλ‘œ λ¦¬λ””λ ‰μ…˜λ¨μ„ κ²½κ³ ν•˜λŠ” λ©”μ‹œμ§€λ₯Ό ν‘œμ‹œν•©λ‹ˆλ‹€.

πŸ“Ž References

ν—ˆμš©λœ URL λͺ©λ‘μ€ μ‹€μ œ 운영 ν™˜κ²½μ— 맞게 μ„€μ •ν•΄μ•Ό ν•˜λ©°, μ™ΈλΆ€ μ‚¬μ΄νŠΈλ‘œμ˜ λ¦¬λ””λ ‰μ…˜μ΄ ν•„μš”ν•œ 경우 μ‚¬μš©μžμ—κ²Œ κ²½κ³  λ©”μ‹œμ§€λ₯Ό ν‘œμ‹œν•˜λŠ” 것도 κ³ λ €ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

πŸ—‚οΈ 3. server.js

πŸ”Ž SAST Analysis Summary

3-1. [Vulnerability] Cryptographic Issues

  • #️⃣ Lines: 78 ~ 102
  • πŸ›‘οΈ Severity: WARNING
  • πŸ”– CWE-522: Insufficiently Protected Credentials
  • πŸ”— Reference: https://owasp.org/Top10/A04_2021-Insecure_Design
  • ✍️ Message: Don’t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly.

3-2. [Vulnerability] Cryptographic Issues

  • #️⃣ Lines: 78 ~ 102
  • πŸ›‘οΈ Severity: WARNING
  • πŸ”– CWE-522: Insufficiently Protected Credentials
  • πŸ”— Reference: https://owasp.org/Top10/A04_2021-Insecure_Design
  • ✍️ Message: Default session middleware settings: domain not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.

3-3. [Vulnerability] Cryptographic Issues

  • #️⃣ Lines: 78 ~ 102
  • πŸ›‘οΈ Severity: WARNING
  • πŸ”– CWE-522: Insufficiently Protected Credentials
  • πŸ”— Reference: https://owasp.org/Top10/A04_2021-Insecure_Design
  • ✍️ Message: Default session middleware settings: expires not set. Use it to set expiration date for persistent cookies.

3-4. [Vulnerability] Cryptographic Issues

  • #️⃣ Lines: 78 ~ 102
  • πŸ›‘οΈ Severity: WARNING
  • πŸ”– CWE-522: Insufficiently Protected Credentials
  • πŸ”— Reference: https://owasp.org/Top10/A04_2021-Insecure_Design
  • ✍️ Message: Default session middleware settings: httpOnly not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks.

3-5. [Vulnerability] Cryptographic Issues

  • #️⃣ Lines: 78 ~ 102
  • πŸ›‘οΈ Severity: WARNING
  • πŸ”– CWE-522: Insufficiently Protected Credentials
  • πŸ”— Reference: https://owasp.org/Top10/A04_2021-Insecure_Design
  • ✍️ Message: Default session middleware settings: path not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.

3-6. [Vulnerability] Cryptographic Issues

  • #️⃣ Lines: 78 ~ 102
  • πŸ›‘οΈ Severity: WARNING
  • πŸ”– CWE-522: Insufficiently Protected Credentials
  • πŸ”— Reference: https://owasp.org/Top10/A04_2021-Insecure_Design
  • ✍️ Message: Default session middleware settings: secure not set. It ensures the browser only sends the cookie over HTTPS.

πŸ€– LLM Analysis Summary

🐞 Vulnerability Description

  • κΈ°λ³Έ μ„Έμ…˜ 미듀웨어 μ„€μ •μ—μ„œ domain, expires, httpOnly, path, secure 속성이 μ„€μ •λ˜μ§€ μ•Šμ•˜μŠ΅λ‹ˆλ‹€. μ΄λŸ¬ν•œ 속성은 μ„Έμ…˜ μΏ ν‚€μ˜ λ³΄μ•ˆμ„ κ°•ν™”ν•˜λŠ” 데 ν•„μˆ˜μ μž…λ‹ˆλ‹€. λ˜ν•œ, κΈ°λ³Έ μ„Έμ…˜ μΏ ν‚€ 이름을 μ‚¬μš©ν•˜λŠ” 것은 κ³΅κ²©μžμ—κ²Œ μ„œλ²„λ₯Ό 식별할 수 μžˆλŠ” 정보λ₯Ό μ œκ³΅ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

⚠️ Potential Risks

  • httpOnlyκ°€ μ„€μ •λ˜μ§€ μ•ŠμœΌλ©΄ ν΄λΌμ΄μ–ΈνŠΈ μΈ‘ JavaScriptμ—μ„œ 쿠킀에 μ ‘κ·Όν•  수 μžˆμ–΄ XSS 곡격에 μ·¨μ•½ν•  수 μžˆμŠ΅λ‹ˆλ‹€.
  • secureκ°€ μ„€μ •λ˜μ§€ μ•ŠμœΌλ©΄ HTTPSλ₯Ό ν†΅ν•΄μ„œλ§Œ μΏ ν‚€κ°€ μ „μ†‘λ˜μ§€ μ•Šμ•„ μ€‘κ°„μž 곡격에 λ…ΈμΆœλ  수 μžˆμŠ΅λ‹ˆλ‹€.
  • expiresκ°€ μ„€μ •λ˜μ§€ μ•ŠμœΌλ©΄ μ„Έμ…˜ μΏ ν‚€κ°€ 영ꡬ적으둜 μœ μ§€λ  수 μžˆμ–΄ λ³΄μ•ˆ μœ„ν—˜μ΄ 증가할 수 μžˆμŠ΅λ‹ˆλ‹€.
  • κΈ°λ³Έ μ„Έμ…˜ μΏ ν‚€ 이름을 μ‚¬μš©ν•˜λ©΄ κ³΅κ²©μžκ°€ μ„œλ²„λ₯Ό μ‹λ³„ν•˜κ³  곡격을 μ‹œλ„ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

πŸ›  Recommended Fix

  • μ„Έμ…˜ μΏ ν‚€ μ„€μ •μ—μ„œ httpOnly, secure, expires, domain, path 속성을 λͺ…μ‹œμ μœΌλ‘œ μ„€μ •ν•©λ‹ˆλ‹€.
  • μ„Έμ…˜ μΏ ν‚€ 이름을 기본값이 μ•„λ‹Œ λ‹€λ₯Έ κ°’μœΌλ‘œ λ³€κ²½ν•©λ‹ˆλ‹€.

πŸ“Ž References

  • domain 속성은 μ‹€μ œ μ‚¬μš© 쀑인 λ„λ©”μΈμœΌλ‘œ λ³€κ²½ν•΄μ•Ό ν•©λ‹ˆλ‹€.
  • secure 속성을 μ‚¬μš©ν•˜λ €λ©΄ HTTPSλ₯Ό 톡해 μ„œλ²„λ₯Ό μ‹€ν–‰ν•΄μ•Ό ν•©λ‹ˆλ‹€.

πŸ’‰ Fix Details

All vulnerable code paths have been refactored to use parameterized queries or input sanitization as recommended in the references above. Please refer to the diff for exact code changes.

seoonju avatar Jul 15 '25 09:07 seoonju