From 59253982c81ae82d0556d1dfbcc59969e3b852c7 Mon Sep 17 00:00:00 2001 From: soonnae Date: Thu, 17 Jul 2025 00:18:04 +0900 Subject: [PATCH 1/3] [Autofic] Create package.json and CI workflow --- .github/workflows/pr_notify.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .github/workflows/pr_notify.yml diff --git a/.github/workflows/pr_notify.yml b/.github/workflows/pr_notify.yml new file mode 100644 index 0000000..2b34036 --- /dev/null +++ b/.github/workflows/pr_notify.yml @@ -0,0 +1,20 @@ +name: PR Notifier + +on: + pull_request: + types: [opened, reopened, closed] + +jobs: + notify: + runs-on: ubuntu-latest + steps: + - name: Notify Discord + env: + DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }} + run: | + curl -H "Content-Type: application/json" -d '{"content": "๐Ÿ”” Pull Request [${{ github.event.pull_request.title }}](${{ github.event.pull_request.html_url }}) by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}' $DISCORD_WEBHOOK_URL + - name: Notify Slack + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + run: | + curl -H "Content-Type: application/json" -d '{"text": ":bell: Pull Request <${{ github.event.pull_request.html_url }}|${{ github.event.pull_request.title }}> by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}' $SLACK_WEBHOOK_URL From 374cf270a15ee37ccbecb8791b03b969297e308f Mon Sep 17 00:00:00 2001 From: soonnae Date: Thu, 17 Jul 2025 00:18:13 +0900 Subject: [PATCH 2/3] [Autofic] 1 malicious code detected!! --- service/login.js | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/service/login.js b/service/login.js index 8d7402c..72bc9be 100644 --- a/service/login.js +++ b/service/login.js @@ -9,6 +9,8 @@ var express = require("express"); var session = require("express-session"); var bodyParser = require("body-parser"); var path = require("path"); +var csrf = require("csurf"); +var rateLimit = require("express-rate-limit"); var connection = mysql.createConnection({ host: "db", @@ -23,11 +25,23 @@ app.use( secret: require("crypto").randomBytes(64).toString("hex"), resave: true, saveUninitialized: true, + cookie: { secure: true } // ์ฟ ํ‚ค์— secure ํ”Œ๋ž˜๊ทธ ์ถ”๊ฐ€ }) ); app.use(bodyParser.urlencoded({ extended: true })); app.use(bodyParser.json()); +// CSRF ๋ณดํ˜ธ ๋ฏธ๋“ค์›จ์–ด ์ถ”๊ฐ€ +var csrfProtection = csrf({ cookie: true }); +app.use(csrfProtection); + +// ์†๋„ ์ œํ•œ ๋ฏธ๋“ค์›จ์–ด ์ถ”๊ฐ€ +const limiter = rateLimit({ + windowMs: 15 * 60 * 1000, // 15๋ถ„ + max: 100 // ๊ฐ IP๋‹น 100๊ฐœ์˜ ์š”์ฒญ์œผ๋กœ ์ œํ•œ +}); +app.use(limiter); + app.get("/", function (request, response) { response.sendFile(path.join(__dirname + "/login.html")); }); From 77556d87d3c72f9ee840ac999421682f0257270b Mon Sep 17 00:00:00 2001 From: soonnae Date: Thu, 17 Jul 2025 00:18:29 +0900 Subject: [PATCH 3/3] chore: remove CI workflow before upstream PR --- .github/workflows/pr_notify.yml | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 .github/workflows/pr_notify.yml diff --git a/.github/workflows/pr_notify.yml b/.github/workflows/pr_notify.yml deleted file mode 100644 index 2b34036..0000000 --- a/.github/workflows/pr_notify.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: PR Notifier - -on: - pull_request: - types: [opened, reopened, closed] - -jobs: - notify: - runs-on: ubuntu-latest - steps: - - name: Notify Discord - env: - DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }} - run: | - curl -H "Content-Type: application/json" -d '{"content": "๐Ÿ”” Pull Request [${{ github.event.pull_request.title }}](${{ github.event.pull_request.html_url }}) by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}' $DISCORD_WEBHOOK_URL - - name: Notify Slack - env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - run: | - curl -H "Content-Type: application/json" -d '{"text": ":bell: Pull Request <${{ github.event.pull_request.html_url }}|${{ github.event.pull_request.title }}> by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}' $SLACK_WEBHOOK_URL