클라이언트가 Decryption Oracle로 사용될 수 있는 취약점 수정

2026-02-04 16:16:55 +00:00 · 2025-07-04 23:26:58 +09:00
parent 13bac59824
commit c9331ae5b7
12 changed files with 58 additions and 38 deletions
--- a/src/lib/server/db/session.ts
+++ b/src/lib/server/db/session.ts
@@ -94,7 +94,7 @@ export const registerSessionUpgradeChallenge = async (
  expiresAt: Date,
 ) => {
  try {
-    await db
+    const { id } = await db
      .insertInto("session_upgrade_challenge")
      .values({
        session_id: sessionId,
@@ -103,7 +103,9 @@ export const registerSessionUpgradeChallenge = async (
        allowed_ip: allowedIp,
        expires_at: expiresAt,
      })
-      .execute();
+      .returning("id")
+      .executeTakeFirstOrThrow();
+    return { id };
  } catch (e) {
    if (e instanceof pg.DatabaseError && e.code === "23505") {
      throw new IntegrityError("Challenge already registered");
@@ -113,19 +115,19 @@ export const registerSessionUpgradeChallenge = async (
 };

 export const consumeSessionUpgradeChallenge = async (
+  challengeId: number,
  sessionId: string,
-  answer: string,
  ip: string,
 ) => {
  const challenge = await db
    .deleteFrom("session_upgrade_challenge")
+    .where("id", "=", challengeId)
    .where("session_id", "=", sessionId)
-    .where("answer", "=", answer)
    .where("allowed_ip", "=", ip)
    .where("expires_at", ">", new Date())
-    .returning("client_id")
+    .returning(["client_id", "answer"])
    .executeTakeFirst();
-  return challenge ? { clientId: challenge.client_id } : null;
+  return challenge ? { clientId: challenge.client_id, answer: challenge.answer } : null;
 };

 export const cleanupExpiredSessionUpgradeChallenges = async () => {