클라이언트가 Decryption Oracle로 사용될 수 있는 취약점 수정

2025-12-16 23:18:48 +00:00 · 2025-07-04 23:26:58 +09:00
parent 13bac59824
commit c9331ae5b7
12 changed files with 58 additions and 38 deletions
--- a/src/lib/server/db/client.ts
+++ b/src/lib/server/db/client.ts
@@ -178,7 +178,7 @@ export const registerUserClientChallenge = async (
  allowedIp: string,
  expiresAt: Date,
 ) => {
-  await db
+  const { id } = await db
    .insertInto("user_client_challenge")
    .values({
      user_id: userId,
@@ -187,19 +187,25 @@ export const registerUserClientChallenge = async (
      allowed_ip: allowedIp,
      expires_at: expiresAt,
    })
-    .execute();
+    .returning("id")
+    .executeTakeFirstOrThrow();
+  return { id };
 };

-export const consumeUserClientChallenge = async (userId: number, answer: string, ip: string) => {
+export const consumeUserClientChallenge = async (
+  challengeId: number,
+  userId: number,
+  ip: string,
+) => {
  const challenge = await db
    .deleteFrom("user_client_challenge")
+    .where("id", "=", challengeId)
    .where("user_id", "=", userId)
-    .where("answer", "=", answer)
    .where("allowed_ip", "=", ip)
    .where("expires_at", ">", new Date())
-    .returning("client_id")
+    .returning(["client_id", "answer"])
    .executeTakeFirst();
-  return challenge ? { clientId: challenge.client_id } : null;
+  return challenge ? { clientId: challenge.client_id, answer: challenge.answer } : null;
 };

 export const cleanupExpiredUserClientChallenges = async () => {
--- a/src/lib/server/db/session.ts
+++ b/src/lib/server/db/session.ts
@@ -94,7 +94,7 @@ export const registerSessionUpgradeChallenge = async (
  expiresAt: Date,
 ) => {
  try {
-    await db
+    const { id } = await db
      .insertInto("session_upgrade_challenge")
      .values({
        session_id: sessionId,
@@ -103,7 +103,9 @@ export const registerSessionUpgradeChallenge = async (
        allowed_ip: allowedIp,
        expires_at: expiresAt,
      })
-      .execute();
+      .returning("id")
+      .executeTakeFirstOrThrow();
+    return { id };
  } catch (e) {
    if (e instanceof pg.DatabaseError && e.code === "23505") {
      throw new IntegrityError("Challenge already registered");
@@ -113,19 +115,19 @@ export const registerSessionUpgradeChallenge = async (
 };

 export const consumeSessionUpgradeChallenge = async (
+  challengeId: number,
  sessionId: string,
-  answer: string,
  ip: string,
 ) => {
  const challenge = await db
    .deleteFrom("session_upgrade_challenge")
+    .where("id", "=", challengeId)
    .where("session_id", "=", sessionId)
-    .where("answer", "=", answer)
    .where("allowed_ip", "=", ip)
    .where("expires_at", ">", new Date())
-    .returning("client_id")
+    .returning(["client_id", "answer"])
    .executeTakeFirst();
-  return challenge ? { clientId: challenge.client_id } : null;
+  return challenge ? { clientId: challenge.client_id, answer: challenge.answer } : null;
 };

 export const cleanupExpiredSessionUpgradeChallenges = async () => {