security: 보안 취약점 해결

backend/package.json

@@ -24,9 +24,11 @@
     "@types/cookie-parser": "^1.4.3",
     "@types/cors": "^2.8.13",
     "@types/express": "^4.17.17",
+    "@types/express-session": "^1.17.10",
     "@types/http-errors": "^2.0.1",
     "@types/jest": "^29.5.2",
     "@types/jsonwebtoken": "^9.0.2",
+    "@types/lusca": "^1.7.4",
     "@types/morgan": "^1.9.4",
     "@types/node-schedule": "^2.1.0",
     "@types/passport": "^1.0.12",
@@ -61,13 +63,15 @@
     "dotenv": "^16.0.0",
     "express": "^4.17.2",
     "express-rate-limit": "^6.9.0",
+    "express-session": "^1.17.3",
     "hangul-js": "^0.2.6",
     "http-errors": "^2.0.0",
     "http-status": "^1.5.0",
     "http-terminator": "^3.2.0",
     "jsonwebtoken": "^8.5.1",
     "kysely": "^0.26.1",
     "kysely-paginate": "^0.2.0",
+    "lusca": "^1.7.0",
     "morgan": "^1.10.0",
     "mysql2": "^2.3.3",
     "node-schedule": "^2.1.0",

backend/src/app.ts

@@ -18,12 +18,35 @@
 
 import router from '~/v1/routes';
 import routerV2 from '~/v2/routes';
+import lusca from "lusca";
+import session from 'express-session';
+import * as crypto from "crypto";
 import { morganMiddleware } from './logger';
 
 const app: express.Application = express();
+const secret = crypto.randomBytes(42).toString('hex');
 
+app.use(session({
+  secret,
+  resave: false,
+  saveUninitialized: true,
+}));
 app.use(morganMiddleware);
-app.use(cookieParser());
+app.use(cookieParser(
+  secret,
+));
+app.use(lusca.csrf(
+  {
+    cookie: {
+      name: 'CSRF-TOKEN',
+      options: {
+        httpOnly: true,
+        sameSite: 'strict',
+        secure: true,
+      }
+    },
+  },
+));
 app.use(passport.initialize());
 app.use(express.urlencoded({ extended: true }));
 app.use(express.json());

backend/src/v1/books/books.service.ts

@@ -27,9 +27,23 @@ import { categoryWithBookCount } from '../DTO/common.interface';
 import * as searchKeywordsService from '../search-keywords/searchKeywords.service';
 import BookInfoSearchKeywordRepository from '../search-keywords/booksInfoSearchKeywords.repository';
 
+/**
+ * 유효한 ISBN인지 정규식을 통해 검사한다.
+ * @param isbn 검사할 ISBN
+ * @return 유효한 ISBN이면 true, 아니면 false
+ */
+const isValidISBN = (isbn: string) => {
+  const isbnPattern = /^(?:ISBN(?:-1[03])?:? )?(?=[-0-9 ]{17}$|[-0-9X ]{13}$|[0-9X]{10}$)(?:97[89][- ]?)?[0-9]{1,5}[- ]?(?:[0-9]+[- ]?){2}[0-9X]$/;
+  return isbnPattern.test(isbn);
+}
+
 const getInfoInNationalLibrary = async (isbn: string) => {
   let book;
   let searchResult;
+
+  if (!isValidISBN(isbn)) {
+    throw new Error(errorCode.ISBN_SEARCH_FAILED);
+  }
   await axios
     .get(
       `https://www.nl.go.kr/seoji/SearchApi.do?cert_key=${nationalIsbnApiKey}&result_style=json&page_no=1&page_size=10&isbn=${isbn}`,
@@ -62,6 +76,9 @@ const getInfoInNationalLibrary = async (isbn: string) => {
 
 const getAuthorInNaver = async (isbn: string) => {
   let author;
+  if (!isValidISBN(isbn)) {
+    return author;
+  }
   await axios
     .get(
       `

backend/src/v1/routes/auth.routes.ts

@@ -14,6 +14,7 @@ import {
   login,
   logout,
 } from '~/v1/auth/auth.controller';
+import { getRateLimiter } from "~/v1/utils/rateLimiter.ts";
 
 export const path = '/auth';
 export const router = Router();
@@ -78,6 +79,7 @@ router.get('/oauth', getOAuth);
  */
 router.get(
   '/token',
+  getRateLimiter,
   passport.authenticate('42', {
     session: false,
     failureRedirect: `${oauthUrlOption.clientURL}/login?errorCode=${errorCode.ACCESS_DENIED}`,
@@ -160,7 +162,7 @@ router.get(
  *                  message:
  *                    type: string
  */
-router.get('/me', authValidate(roleSet.all), getMe);
+router.get('/me', getRateLimiter, authValidate(roleSet.all), getMe);
 
 /**
  * @openapi
@@ -326,6 +328,7 @@ router.get('/getIntraAuthentication', getIntraAuthentication);
  */
 router.get(
   '/intraAuthentication',
+  getRateLimiter,
   passport.authenticate('42Auth', {
     session: false,
     failureRedirect: `${oauthUrlOption.clientURL}/mypage?errorCode=${errorCode.ACCESS_DENIED}`,

backend/src/v1/routes/books.routes.ts

@@ -17,6 +17,7 @@ import {
 import authValidate from '~/v1/auth/auth.validate';
 import authValidateDefaultNullUser from '~/v1/auth/auth.validateDefaultNullUser';
 import { roleSet } from '~/v1/auth/auth.type';
+import { cudRateLimiter, getRateLimiter } from "~/v1/utils/rateLimiter.ts";
 
 export const path = '/books';
 export const router = Router();
@@ -714,7 +715,7 @@ router
    *                    type: json
    *                    example : { errorCode: 311 }
    */
-  .post('/create', authValidate(roleSet.librarian), createBook);
+  .post('/create', cudRateLimiter, authValidate(roleSet.librarian), createBook);
 
 router
   /**
@@ -795,7 +796,7 @@ router
    *                  type: json
    *                  example: { errorCode : 310 }
    */
-  .get('/create', authValidate(roleSet.librarian), createBookInfo);
+  .get('/create', getRateLimiter, authValidate(roleSet.librarian), createBookInfo);
 
 router
   /**
@@ -917,7 +918,7 @@ router
    *                   description: 좋아요할 bookInfo의 id
    *                example : { userId: 123, bookInfoId: 456 }
    */
-  .post('/info/:bookInfoId/like', authValidate(roleSet.service), createLike);
+  .post('/info/:bookInfoId/like', cudRateLimiter, authValidate(roleSet.service), createLike);
 
 router
   /**
@@ -958,7 +959,7 @@ router
    *                type: json
    *                example : { errorCode: 603}
    */
-  .delete('/info/:bookInfoId/like', authValidate(roleSet.service), deleteLike);
+  .delete('/info/:bookInfoId/like', cudRateLimiter, authValidate(roleSet.service), deleteLike);
 
 router
   /**
@@ -1100,5 +1101,5 @@ router
    *                    type: json
    *                    example : { errorCode: 311 }
    */
-  .patch('/update', authValidate(roleSet.librarian), updateBookInfo)
-  .patch('/donator', authValidate(roleSet.librarian), updateBookDonator);
+  .patch('/update', cudRateLimiter, authValidate(roleSet.librarian), updateBookInfo)
+  .patch('/donator', cudRateLimiter, authValidate(roleSet.librarian), updateBookDonator);

backend/src/v1/routes/cursus.routes.ts

@@ -1,18 +1,12 @@
 import { Router } from 'express';
-import rateLimit from 'express-rate-limit';
 import { recommendBook, getProjects } from '~/v1/cursus/cursus.controller';
 import { roleSet } from '~/v1/auth/auth.type';
 import authValidate from '~/v1/auth/auth.validate';
+import { getRateLimiter } from "~/v1/utils/rateLimiter.ts";
 
 export const path = '/cursus';
 export const router = Router();
 
-const limiter = rateLimit({
-  windowMs: 60 * 1000, // 1분
-  max: 100, // 1분에 100번
-  message: '너무 많은 요청을 보냈습니다. 잠시 후 다시 시도해주세요.',
-});
-
 router
   /**
    * @openapi
@@ -94,7 +88,7 @@ router
    *                description: error decription
    *                example: { errorCode: 500 }
    */
-  .get('/recommend/books', limiter, authValidate(roleSet.all), recommendBook);
+  .get('/recommend/books', getRateLimiter, authValidate(roleSet.all), recommendBook);
 
 router
   /**

backend/src/v1/routes/histories.routes.ts

@@ -2,6 +2,7 @@ import { Router } from 'express';
 import { histories } from '~/v1/histories/histories.controller';
 import authValidate from '~/v1/auth/auth.validate';
 import { roleSet } from '~/v1/auth/auth.type';
+import { getRateLimiter } from "~/v1/utils/rateLimiter.ts";
 
 export const path = '/histories';
 export const router = Router();
@@ -153,4 +154,4 @@ router
    *                     type: integer
    *                     example: 700
    */
-  .get('/', authValidate(roleSet.all), histories);
+  .get('/', getRateLimiter, authValidate(roleSet.all), histories);

backend/src/v1/routes/lendings.routes.ts

@@ -2,6 +2,7 @@ import { Router } from 'express';
 import { create, search, lendingId, returnBook } from '~/v1/lendings/lendings.controller';
 import authValidate from '~/v1/auth/auth.validate';
 import { roleSet } from '~/v1/auth/auth.type';
+import { cudRateLimiter, getRateLimiter } from "~/v1/utils/rateLimiter.ts";
 
 export const path = '/lendings';
 export const router = Router();
@@ -61,7 +62,7 @@ router
    *        '500':
    *          description: db 에러
    * */
-  .post('/', authValidate(roleSet.librarian), create)
+  .post('/', cudRateLimiter, authValidate(roleSet.librarian), create)
 
   /**
    * @openapi
@@ -190,7 +191,7 @@ router
    *        '500':
    *          description: db 에러
    */
-  .get('/search', authValidate(roleSet.librarian), search)
+  .get('/search', cudRateLimiter, authValidate(roleSet.librarian), search)
 
   /**
    * @openapi
@@ -260,7 +261,7 @@ router
    *        '500':
    *          description: db 에러
    */
-  .get('/:id', authValidate(roleSet.librarian), lendingId)
+  .get('/:id', getRateLimiter, authValidate(roleSet.librarian), lendingId)
 
   /**
    * @openapi
@@ -316,4 +317,4 @@ router
    *                    type: integer
    * */
 
-  .patch('/return', authValidate(roleSet.librarian), returnBook);
+  .patch('/return', cudRateLimiter, authValidate(roleSet.librarian), returnBook);

backend/src/v1/routes/reservations.routes.ts

@@ -8,6 +8,7 @@ import {
 } from '~/v1/reservations/reservations.controller';
 import authValidate from '~/v1/auth/auth.validate';
 import { roleSet } from '~/v1/auth/auth.type';
+import { cudRateLimiter, getRateLimiter } from "~/v1/utils/rateLimiter.ts";
 
 export const path = '/reservations';
 export const router = Router();
@@ -274,8 +275,8 @@ export const router = Router();
  * */
 
 router
-  .post('/', authValidate(roleSet.service), create)
-  .get('/search', authValidate(roleSet.librarian), search)
-  .patch('/cancel/:reservationId', authValidate(roleSet.service), cancel)
-  .get('/count', authValidate(roleSet.all), count)
-  .get('/', authValidate(roleSet.service), userReservations);
+  .post('/', cudRateLimiter, authValidate(roleSet.service), create)
+  .get('/search', getRateLimiter, authValidate(roleSet.librarian), search)
+  .patch('/cancel/:reservationId', cudRateLimiter, authValidate(roleSet.service), cancel)
+  .get('/count', getRateLimiter, authValidate(roleSet.all), count)
+  .get('/', getRateLimiter, authValidate(roleSet.service), userReservations);

backend/src/v1/routes/reviews.routes.ts

@@ -9,6 +9,7 @@ import {
 import authValidate from '~/v1/auth/auth.validate';
 import { roleSet } from '~/v1/auth/auth.type';
 import wrapAsyncController from '~/v1/middlewares/wrapAsyncController';
+import { cudRateLimiter, getRateLimiter } from "~/v1/utils/rateLimiter.ts";
 
 export const path = '/reviews';
 export const router = Router();
@@ -71,7 +72,7 @@ router
    *                    value :
    *                      errorCode: 109
    */
-  .post('/', authValidate(roleSet.all), wrapAsyncController(createReviews));
+  .post('/', cudRateLimiter, authValidate(roleSet.all), wrapAsyncController(createReviews));
 
 router
   /**
@@ -272,7 +273,7 @@ router
    *                   value :
    *                     errorCode: 109
    */
-  .get('/', authValidate(roleSet.librarian), wrapAsyncController(getReviews));
+  .get('/', getRateLimiter, authValidate(roleSet.librarian), wrapAsyncController(getReviews));
 
 router
   /**
@@ -463,7 +464,7 @@ router
    *                   value :
    *                     errorCode: 109
    */
-  .get('/my-reviews', authValidate(roleSet.all), wrapAsyncController(getReviews));
+  .get('/my-reviews', getRateLimiter, authValidate(roleSet.all), wrapAsyncController(getReviews));
 
 router
   /**
@@ -540,7 +541,7 @@ router
    *                    value:
    *                      errorCode: 804
    */
-  .put('/:reviewsId', authValidate(roleSet.all), wrapAsyncController(updateReviews));
+  .put('/:reviewsId', cudRateLimiter, authValidate(roleSet.all), wrapAsyncController(updateReviews));
 
 router
   /**
@@ -561,7 +562,7 @@ router
    *         '200':
    *            description: 리뷰가 DB에 정상적으로 fetch됨.
    */
-  .patch('/:reviewsId', authValidate(roleSet.librarian), wrapAsyncController(patchReviews));
+  .patch('/:reviewsId', cudRateLimiter, authValidate(roleSet.librarian), wrapAsyncController(patchReviews));
 
 router
   /**
@@ -621,4 +622,4 @@ router
    *                    value:
    *                      errorCode: 804
    */
-  .delete('/:reviewsId', authValidate(roleSet.all), wrapAsyncController(deleteReviews));
+  .delete('/:reviewsId', cudRateLimiter, authValidate(roleSet.all), wrapAsyncController(deleteReviews));