fix: 권한 상승 취약점 패치

hafskjfha · hafskjfha · commit f85a684c8121 · 2026-04-22T00:09:32.000+09:00
diff --git a/src/app/api/auth/set_nickname/route.ts b/src/app/api/auth/set_nickname/route.ts
@@ -0,0 +1,75 @@
+import { NextResponse } from 'next/server';
+import type { NextRequest } from 'next/server';
+import { createServerClient } from '@supabase/ssr';
+import { Database } from '@/src/app/types/database.types';
+import { createClient } from '@supabase/supabase-js';
+
+export async function POST(request: NextRequest){
+    const body = await request.json().catch()
+    
+    // 유효하지 않은 데이터는 그냥 반환
+    if (!body){
+        return NextResponse.json({
+            data: null,
+            error: "invalid data"
+        })
+    }
+
+    const {nickname}: {nickname: string} = body;
+    if (!nickname){
+        return NextResponse.json({
+            data: null,
+            error: "invalid data"
+        })
+    }
+
+    // 요청자의 데이터를 쿠키에서 얻어냄
+    let supabaseResponse = NextResponse.next({request,})
+
+    const supabase = createServerClient<Database>(
+        process.env.NEXT_PUBLIC_SUPABASE_URL!,
+        process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
+        {
+            cookies: {
+                getAll() {
+                    return request.cookies.getAll()
+                },
+                setAll(cookiesToSet) {
+                    cookiesToSet.forEach(({ name, value }) => request.cookies.set(name, value))
+                    supabaseResponse = NextResponse.next({
+                        request,
+                    })
+                    cookiesToSet.forEach(({ name, value, options }) =>
+                        supabaseResponse.cookies.set(name, value, options)
+                    )
+                },
+            },
+        }
+    )
+
+    // 유효한 유저인지 검사
+    const { data: { user } } = await supabase.auth.getUser();
+    if (!user){
+        return NextResponse.json({
+            data: null,
+            error: "no session"
+        })
+    }
+
+    // 업데이트 처리
+    const supabaseServer = createClient<Database>(
+        process.env.NEXT_PUBLIC_SUPABASE_URL, 
+        process.env.SUPABASE_SERVICE_KEY
+    )
+    const {data, error} = await supabaseServer.from('users').insert({id: user.id, nickname: nickname.trim()}).select('*').maybeSingle();
+    if (error){
+        return NextResponse.json({
+            data,
+            error
+        },{status:500})
+    }
+    return NextResponse.json({
+        data,
+        error
+    })
+}
diff --git a/src/app/auth/auth.tsx b/src/app/auth/auth.tsx
@@ -124,7 +124,7 @@ const AuthPage = () => {
         }
 
         // 닉네임 등록
-        const { data, error:err } = await SCM.add().nickname(session.data.session.user.id, nickname)
+        const { data, error:err } = await SCM.add().nickname(nickname)
 
         if (err) {
             setErrorModalView({
diff --git a/src/app/lib/supabase/ISupabaseClientManager.ts b/src/app/lib/supabase/ISupabaseClientManager.ts
@@ -33,7 +33,7 @@ export interface IAddManager {
     waitWordThemes(insertWaitWordThemeData: { wait_word_id: number; theme_id: number; }[]): Promise<PostgrestSingleResponse<null>>
     waitDocs({ docsName, userId }: { docsName: string; userId: string | undefined; }): Promise<PostgrestSingleResponse<null>>;
     docs(insertDocsData: { name: string; maker: string | null; duem: boolean; typez: "letter" | "theme"; }[]): Promise<PostgrestSingleResponse<null>>;
-    nickname(userId: string, nick: string): Promise<PostgrestSingleResponse<user>>;
+    nickname(nick: string): Promise<PostgrestSingleResponse<user>>;
     words(q:addWordQueryType[]): Promise<PostgrestSingleResponse<word[]>>;
     wordsThemes(q: addWordThemeQueryType[]): Promise<PostgrestSingleResponse<{words:{word: string}; themes: {name: string}}[]>>;
     wordThemesReq(q: {word_id: number, theme_id: number, typez: "add" | "delete", req_by: string | null}[]): Promise<PostgrestSingleResponse<{typez: "add" | "delete"; themes:{name: string}}[]>>
diff --git a/src/app/lib/supabase/SupabaseClientManager.ts b/src/app/lib/supabase/SupabaseClientManager.ts
@@ -6,6 +6,7 @@ import DuemLaw, { reverDuemLaw } from '../hangulUtils';
 import { sum } from 'es-toolkit';
 import { StorageError } from '@supabase/storage-js';
 import { misssionCharMask } from '../lib';
+import axios from 'axios';
 
 const CACHE_DURATION = 10 * 60 * 1000;
 
@@ -53,8 +54,9 @@ class AddManager implements IAddManager {
     public async docs(docsInserQuery: { name: string, maker: string | null, duem: boolean, typez: "letter" }[]) {
         return await this.supabase.from('docs').insert(docsInserQuery);
     }
-    public async nickname(userId: string, nick: string) {
-        return this.supabase.from("users").insert({ id: userId, nickname: nick.trim() }).select("*").single();
+    public async nickname(nick: string) {
+        const res = await axios.post('/api/auth/set_nickname', { nickname: nick.trim() });
+        return res.data;
     }
     public async words(q: addWordQueryType[]) {
         return this.supabase.from('words').upsert(q, { ignoreDuplicates: true, onConflict: "word" }).select('*');

Original file line number	Diff line number	Diff line change
`@@ -124,7 +124,7 @@ const AuthPage = () => {`
`124`	`124`	`}`
`125`	`125`
`126`	`126`	`// 닉네임 등록`
`127`		`- const { data, error:err } = await SCM.add().nickname(session.data.session.user.id, nickname)`
	`127`	`+ const { data, error:err } = await SCM.add().nickname(nickname)`
`128`	`128`
`129`	`129`	`if (err) {`
`130`	`130`	`setErrorModalView({`