← WhiteHat Code샘플 리포트 목록
샘플 리포트 — 공개 오픈소스 저장소를 실제로 스캔한 결과입니다

gnuboard/g6

@ master

gnuboard/g6@ masterdjangofastapijwtnextjs300 / 305 파일 스캔 (일부)
높음

심각한 취약점이 발견되었습니다 — 우선적인 조치를 권장합니다.

13건 — HIGH 11건 · MEDIUM 2건

주요 발견 유형

sql injection8
Unsafe Deserialization / Code Injection1
Insecure File Upload / Path Traversal1
Missing CSRF Protection1
DOM-based XSS1
Information Disclosure1

프로젝트 구조

291개 엔드포인트 · 자동 추출
GET/admin/admin.py
GET/auth_listadmin/admin_auth.py
POST/auth_updateadmin/admin_auth.py
POST/auth_list_deleteadmin/admin_auth.py
GET/board_listadmin/admin_board.py
POST/board_list_updateadmin/admin_board.py
POST/board_list_deleteadmin/admin_board.py
GET/board_formadmin/admin_board.py
GET/board_form/{bo_table}admin/admin_board.py
POST/board_form_updateadmin/admin_board.py
GET/board_copy/{bo_table}admin/admin_board.py
POST/board_copy_updateadmin/admin_board.py
GET/boardgroup_listadmin/admin_boardgroup.py
POST/boardgroup_list_updateadmin/admin_boardgroup.py
POST/boardgroup_list_deleteadmin/admin_boardgroup.py
GET/boardgroup_formadmin/admin_boardgroup.py
GET/boardgroup_form/{gr_id}admin/admin_boardgroup.py
POST/boardgroup_form_updateadmin/admin_boardgroup.py
GET/boardgroupmember_list/{gr_id}admin/admin_boardgroupmember.py
GET/boardgroupmember_form/{mb_id}admin/admin_boardgroupmember.py
POST/boardgroupmember_insertadmin/admin_boardgroupmember.py
POST/boardgroupmember_deleteadmin/admin_boardgroupmember.py
GET/cache_file_deleteadmin/admin_cache.py
GET/cache_file_deletingadmin/admin_cache.py
GET/config_formadmin/admin_config.py
POST/config_form_updateadmin/admin_config.py
GET/content_listadmin/admin_content.py
GET/content_formadmin/admin_content.py
GET/content_form/{co_id}admin/admin_content.py
POST/content_form_updateadmin/admin_content.py
GET/content_delete/{co_id}admin/admin_content.py
GET/faq_master_listadmin/admin_faq.py
GET/faq_master_formadmin/admin_faq.py
POST/faq_master_form_updateadmin/admin_faq.py
GET/faq_master_form/{fm_id}admin/admin_faq.py
POST/faq_master_form_update/{fm_id}admin/admin_faq.py
DELETE/faq_master_form_delete/{fm_id}admin/admin_faq.py
GET/faq_list/{fm_id}admin/admin_faq.py
GET/faq_form/{fm_id}admin/admin_faq.py
POST/faq_form_update/{fm_id}admin/admin_faq.py
GET/faq_form/{fm_id}/{fa_id}admin/admin_faq.py
POST/faq_form_update/{fm_id}/{fa_id}admin/admin_faq.py
DELETE/faq_form_delete/{fa_id}admin/admin_faq.py
GET/mail_listadmin/admin_mail.py
GET/mail_formadmin/admin_mail.py
GET/mail_form/{ma_id}admin/admin_mail.py
POST/mail_updateadmin/admin_mail.py
POST/mail_deleteadmin/admin_mail.py
GET/mail_test/{ma_id}admin/admin_mail.py
GET/mail_select_form/{ma_id}admin/admin_mail.py
POST/mail_select_listadmin/admin_mail.py
POST/mail_select_resultadmin/admin_mail.py
GET/mail_select_sendadmin/admin_mail.py
GET/mail_preview/{ma_id}admin/admin_mail.py
GET/member_listadmin/admin_member.py
POST/member_list_updateadmin/admin_member.py
POST/member_list_deleteadmin/admin_member.py
GET/member_formadmin/admin_member.py
GET/member_form/{mb_id}admin/admin_member.py
POST/member_form_updateadmin/admin_member.py
GET/check_member_id/{mb_id}admin/admin_member.py
GET/check_member_email/{mb_email}/{mb_id}admin/admin_member.py
GET/check_member_nick/{mb_nick}/{mb_id}admin/admin_member.py
GET/menu_listadmin/admin_menu.py
GET/menu_formadmin/admin_menu.py
POST/menu_form_searchadmin/admin_menu.py
POST/menu_list_updateadmin/admin_menu.py
GET/newwin_listadmin/admin_newwin.py
GET/newwin_formadmin/admin_newwin.py
GET/newwin_form/{nw_id}admin/admin_newwin.py
POST/newwin_form_updateadmin/admin_newwin.py
GET/newwin_delete/{nw_id}admin/admin_newwin.py
POST/plugin_detailadmin/admin_plugin.py
GET/plugin_listadmin/admin_plugin.py
POST/plugin_updateadmin/admin_plugin.py
GET/plugin/screenshot/{module_name}admin/admin_plugin.py
GET/point_listadmin/admin_point.py
POST/point_updateadmin/admin_point.py
POST/point_list_deleteadmin/admin_point.py
GET/poll_listadmin/admin_poll.py
POST/poll_list_deleteadmin/admin_poll.py
GET/poll_formadmin/admin_poll.py
GET/poll_form/{po_id}admin/admin_poll.py
POST/poll_form_updateadmin/admin_poll.py
GET/popular_listadmin/admin_popular.py
POST/popular/deleteadmin/admin_popular.py
GET/popular_rankadmin/admin_popular.py
GET/qa_configadmin/admin_qa.py
POST/qa_config_updateadmin/admin_qa.py
GET/sendmail_testadmin/admin_sendmail.py
POST/sendmail_test_resultadmin/admin_sendmail.py
GET/serviceadmin/admin_service.py
GET/themeadmin/admin_theme.py
POST/theme_detailadmin/admin_theme.py
GET/theme_preview/{theme}admin/admin_theme.py
POST/theme_updateadmin/admin_theme.py
GET/screenshot/{theme}admin/admin_theme.py
GET/visit_searchadmin/admin_visit.py
GET/visit_deleteadmin/admin_visit.py
POST/visit_delete_updateadmin/admin_visit.py
시퀀스 다이어그램 (Mermaid)
sequenceDiagram
  actor User
  participant API
  participant DB
  User->>API: GET /
  API->>DB: query
  DB-->>API: rows
  API-->>User: response
  User->>API: GET /auth_list
  API->>DB: query
  DB-->>API: rows
  API-->>User: response
  User->>API: POST /auth_update
  API->>DB: query
  DB-->>API: rows
  API-->>User: response
  User->>API: POST /auth_list_delete
  API->>DB: query
  DB-->>API: rows
  API-->>User: response
  User->>API: GET /board_list
  API->>DB: query
  DB-->>API: rows
  API-->>User: response
  User->>API: POST /board_list_update
  API->>DB: query
  DB-->>API: rows
  API-->>User: response
유스케이스 다이어그램 (Mermaid)
flowchart LR
  A0["👤 User"]
  A1["👤 Admin"]
  U0(["root 관리"])
  A0 --> U0
  U1(["auth_list 관리"])
  A1 --> U1
  U2(["auth_update 관리"])
  A1 --> U2
  U3(["auth_list_delete 관리"])
  A1 --> U3
  U4(["board_list 관리"])
  A0 --> U4
  U5(["board_list_update 관리"])
  A0 --> U5
  U6(["board_list_delete 관리"])
  A0 --> U6
  U7(["board_form 관리"])
  A0 --> U7
  U8(["board_form_update 관리"])
  A0 --> U8
  U9(["board_copy 관리"])
  A0 --> U9
  U10(["board_copy_update 관리"])
  A0 --> U10
  U11(["boardgroup_list 관리"])
  A0 --> U11
API 구조 (Mermaid)
flowchart LR
  API([API])
  API --> R0["/root"]
  R0 --> R0_0["GET /"]
  R0 --> R0_1["GET /"]
  R0 --> R0_2["POST /"]
  R0 --> R0_3["GET /"]
  API --> R1["/auth_list"]
  R1 --> R1_0["GET /auth_list"]
  API --> R2["/auth_update"]
  R2 --> R2_0["POST /auth_update"]
  API --> R3["/auth_list_delete"]
  R3 --> R3_0["POST /auth_list_delete"]
  API --> R4["/board_list"]
  R4 --> R4_0["GET /board_list"]
  API --> R5["/board_list_update"]
  R5 --> R5_0["POST /board_list_update"]
  API --> R6["/board_list_delete"]
  R6 --> R6_0["POST /board_list_delete"]
  API --> R7["/board_form"]
  R7 --> R7_0["GET /board_form"]
  R7 --> R7_1["GET /board_form/{bo_table}"]
  API --> R8["/board_form_update"]
  R8 --> R8_0["POST /board_form_update"]
  API --> R9["/board_copy"]
  R9 --> R9_0["GET /board_copy/{bo_table}"]
  API --> R10["/board_copy_update"]
  R10 --> R10_0["POST /board_copy_update"]
  API --> R11["/boardgroup_list"]
  R11 --> R11_0["GET /boardgroup_list"]
  API --> R12["/boardgroup_list_update"]
  R12 --> R12_0["POST /boardgroup_list_update"]
  API --> R13["/boardgroup_list_delete"]
  R13 --> R13_0["POST /boardgroup_list_delete"]
  API --> R14["/boardgroup_form"]
  R14 --> R14_0["GET /boardgroup_form"]
  R14 --> R14_1["GET /boardgroup_form/{gr_id}"]
  API --> R15["/boardgroup_form_update"]
  R15 --> R15_0["POST /boardgroup_form_update"]
  API --> R16["/boardgroupmember_list"]
  R16 --> R16_0["GET /boardgroupmember_list/{gr_id}"]
  API --> R17["/boardgroupmember_form"]
  R17 --> R17_0["GET /boardgroupmember_form/{mb_id}"]
  API --> R18["/boardgroupmember_insert"]
  R18 --> R18_0["POST /boardgroupmember_insert"]
  API --> R19["/boardgroupmember_delete"]
  R19 --> R19_0["POST /boardgroupmember_delete"]
  API --> R20["/cache_file_delete"]
  R20 --> R20_0["GET /cache_file_delete"]
  API --> R21["/cache_file_deleting"]
  R21 --> R21_0["GET /cache_file_deleting"]
  API --> R22["/config_form"]
  R22 --> R22_0["GET /config_form"]
  API --> R23["/config_form_update"]
  R23 --> R23_0["POST /config_form_update"]
  API --> R24["/content_list"]
  R24 --> R24_0["GET /content_list"]
  API --> R25["/content_form"]
  R25 --> R25_0["GET /content_form"]
  R25 --> R25_1["GET /content_form/{co_id}"]
  API --> R26["/content_form_update"]
  R26 --> R26_0["POST /content_form_update"]
  API --> R27["/content_delete"]
  R27 --> R27_0["GET /content_delete/{co_id}"]
  API --> R28["/faq_master_list"]
  R28 --> R28_0["GET /faq_master_list"]
  API --> R29["/faq_master_form"]
  R29 --> R29_0["GET /faq_master_form"]
  R29 --> R29_1["GET /faq_master_form/{fm_id}"]
  API --> R30["/faq_master_form_update"]
  R30 --> R30_0["POST /faq_master_form_update"]
  R30 --> R30_1["POST /faq_master_form_update/{fm_id}"]
  API --> R31["/faq_master_form_delete"]
  R31 --> R31_0["DELETE /faq_master_form_delete/{fm_id}"]
  API --> R32["/faq_list"]
  R32 --> R32_0["GET /faq_list/{fm_id}"]
  API --> R33["/faq_form"]
  R33 --> R33_0["GET /faq_form/{fm_id}"]
  R33 --> R33_1["GET /faq_form/{fm_id}/{fa_id}"]
  API --> R34["/faq_form_update"]
  R34 --> R34_0["POST /faq_form_update/{fm_id}"]
  R34 --> R34_1["POST /faq_form_update/{fm_id}/{fa_id}"]
  API --> R35["/faq_form_delete"]
  R35 --> R35_0["DELETE /faq_form_delete/{fa_id}"]
  API --> R36["/mail_list"]
  R36 --> R36_0["GET /mail_list"]
  API --> R37["/mail_form"]
  R37 --> R37_0["GET /mail_form"]
  R37 --> R37_1["GET /mail_form/{ma_id}"]
  API --> R38["/mail_update"]
  R38 --> R38_0["POST /mail_update"]
  API --> R39["/mail_delete"]
  R39 --> R39_0["POST /mail_delete"]
  API --> R40["/mail_test"]
  R40 --> R40_0["GET /mail_test/{ma_id}"]
  API --> R41["/mail_select_form"]
  R41 --> R41_0["GET /mail_select_form/{ma_id}"]
  API --> R42["/mail_select_list"]
  R42 --> R42_0["POST /mail_select_list"]
  API --> R43["/mail_select_result"]
  R43 --> R43_0["POST /mail_select_result"]
  API --> R44["/mail_select_send"]
  R44 --> R44_0["GET /mail_select_send"]
  API --> R45["/mail_preview"]
  R45 --> R45_0["GET /mail_preview/{ma_id}"]
  API --> R46["/member_list"]
  R46 --> R46_0["GET /member_list"]
  API --> R47["/member_list_update"]
  R47 --> R47_0["POST /member_list_update"]
  API --> R48["/member_list_delete"]
  R48 --> R48_0["POST /member_list_delete"]
  API --> R49["/member_form"]
  R49 --> R49_0["GET /member_form"]
  R49 --> R49_1["GET /member_form/{mb_id}"]
  API --> R50["/member_form_update"]
  R50 --> R50_0["POST /member_form_update"]
  API --> R51["/check_member_id"]
  R51 --> R51_0["GET /check_member_id/{mb_id}"]
  API --> R52["/check_member_email"]
  R52 --> R52_0["GET /check_member_email/{mb_email}/{mb_id}"]
  API --> R53["/check_member_nick"]
  R53 --> R53_0["GET /check_member_nick/{mb_nick}/{mb_id}"]
  API --> R54["/menu_list"]
  R54 --> R54_0["GET /menu_list"]
  API --> R55["/menu_form"]
  R55 --> R55_0["GET /menu_form"]
  API --> R56["/menu_form_search"]
  R56 --> R56_0["POST /menu_form_search"]
  API --> R57["/menu_list_update"]
  R57 --> R57_0["POST /menu_list_update"]
  API --> R58["/newwin_list"]
  R58 --> R58_0["GET /newwin_list"]
  API --> R59["/newwin_form"]
  R59 --> R59_0["GET /newwin_form"]
  R59 --> R59_1["GET /newwin_form/{nw_id}"]
  API --> R60["/newwin_form_update"]
  R60 --> R60_0["POST /newwin_form_update"]
  API --> R61["/newwin_delete"]
  R61 --> R61_0["GET /newwin_delete/{nw_id}"]
  API --> R62["/plugin_detail"]
  R62 --> R62_0["POST /plugin_detail"]
  API --> R63["/plugin_list"]
  R63 --> R63_0["GET /plugin_list"]
  API --> R64["/plugin_update"]
  R64 --> R64_0["POST /plugin_update"]
  API --> R65["/plugin"]
  R65 --> R65_0["GET /plugin/screenshot/{module_name}"]
  API --> R66["/point_list"]
  R66 --> R66_0["GET /point_list"]
  API --> R67["/point_update"]
  R67 --> R67_0["POST /point_update"]
  API --> R68["/point_list_delete"]
  R68 --> R68_0["POST /point_list_delete"]
  API --> R69["/poll_list"]
  R69 --> R69_0["GET /poll_list"]
  API --> R70["/poll_list_delete"]
  R70 --> R70_0["POST /poll_list_delete"]
  API --> R71["/poll_form"]
  R71 --> R71_0["GET /poll_form"]
  R71 --> R71_1["GET /poll_form/{po_id}"]
  API --> R72["/poll_form_update"]
  R72 --> R72_0["POST /poll_form_update"]
  API --> R73["/popular_list"]
  R73 --> R73_0["GET /popular_list"]
  API --> R74["/popular"]
  R74 --> R74_0["POST /popular/delete"]
  API --> R75["/popular_rank"]
  R75 --> R75_0["GET /popular_rank"]
  API --> R76["/qa_config"]
  R76 --> R76_0["GET /qa_config"]
  API --> R77["/qa_config_update"]
  R77 --> R77_0["POST /qa_config_update"]
  API --> R78["/sendmail_test"]
  R78 --> R78_0["GET /sendmail_test"]
  API --> R79["/sendmail_test_result"]
  R79 --> R79_0["POST /sendmail_test_result"]
  API --> R80["/service"]
  R80 --> R80_0["GET /service"]
  API --> R81["/theme"]
  R81 --> R81_0["GET /theme"]
  API --> R82["/theme_detail"]
  R82 --> R82_0["POST /theme_detail"]
  API --> R83["/theme_preview"]
  R83 --> R83_0["GET /theme_preview/{theme}"]
  API --> R84["/theme_update"]
  R84 --> R84_0["POST /theme_update"]
  API --> R85["/screenshot"]
  R85 --> R85_0["GET /screenshot/{theme}"]
  API --> R86["/visit_search"]
  R86 --> R86_0["GET /visit_search"]
  API --> R87["/visit_delete"]
  R87 --> R87_0["GET /visit_delete"]
  API --> R88["/visit_delete_update"]
  R88 --> R88_0["POST /visit_delete_update"]
  API --> R89["/visit_list"]
  R89 --> R89_0["GET /visit_list"]
  API --> R90["/visit_domain"]
  R90 --> R90_0["GET /visit_domain"]
  API --> R91["/visit_browser"]
  R91 --> R91_0["GET /visit_browser"]
  API --> R92["/visit_os"]
  R92 --> R92_0["GET /visit_os"]
  API --> R93["/visit_device"]
  R93 --> R93_0["GET /visit_device"]
  API --> R94["/visit_hour"]
  R94 --> R94_0["GET /visit_hour"]
  API --> R95["/visit_weekday"]
  R95 --> R95_0["GET /visit_weekday"]
  API --> R96["/visit_date"]
  R96 --> R96_0["GET /visit_date"]
  API --> R97["/visit_month"]
  R97 --> R97_0["GET /visit_month"]
  API --> R98["/visit_year"]
  R98 --> R98_0["GET /visit_year"]
  API --> R99["/write_count"]
  R99 --> R99_0["GET /write_count"]
  API --> R100["/token"]
  R100 --> R100_0["POST /token"]
  R100 --> R100_1["POST /token/refresh"]
  API --> R101["/autosaves"]
  R101 --> R101_0["GET /autosaves"]
  R101 --> R101_1["GET /autosaves/count"]
  R101 --> R101_2["GET /autosaves/{as_id}"]
  R101 --> R101_3["POST /autosaves"]
  R101 --> R101_4["DELETE /autosaves/{as_id}"]
  API --> R102["/bo_table"]
  R102 --> R102_0["GET /{bo_table}/writes"]
  R102 --> R102_1["GET /{bo_table}/writes/{wr_id}"]
  R102 --> R102_2["POST /{bo_table}/writes/{wr_id}"]
  R102 --> R102_3["POST /{bo_table}/writes"]
  R102 --> R102_4["PUT /{bo_table}/writes/{wr_id}"]
  R102 --> R102_5["DELETE /{bo_table}/writes/{wr_id}"]
  R102 --> R102_6["POST /{bo_table}/writes/delete"]
  R102 --> R102_7["POST /{bo_table}/writes/{wr_id}/delete"]
  API --> R103["/boards"]
  R103 --> R103_0["POST /boards/{bo_table}/writes/{wr_id}/{good_type}"]
  API --> R104["/writes"]
  R104 --> R104_0["GET /writes"]
  R104 --> R104_1["GET /writes/{bo_table}"]
  API --> R105["/delete"]
  R105 --> R105_0["POST /delete"]
  R105 --> R105_1["GET /delete/{bo_table}/{wr_id}"]
  API --> R106["/recaptcha"]
  R106 --> R106_0["POST /recaptcha/verify"]
  API --> R107["/html"]
  R107 --> R107_0["GET /html"]
  API --> R108["/policy"]
  R108 --> R108_0["GET /policy"]
  API --> R109["/member"]
  R109 --> R109_0["GET /member"]
  R109 --> R109_1["PUT /member"]
  R109 --> R109_2["PUT /member/image"]
  R109 --> R109_3["DELETE /member"]
  API --> R110["/memo"]
  R110 --> R110_0["GET /memo"]
  R110 --> R110_1["GET /memo"]
  API --> R111["/board"]
  R111 --> R111_0["GET /board"]
  API --> R112["/contents"]
  R112 --> R112_0["GET /contents"]
  R112 --> R112_1["GET /contents/{co_id}"]
  API --> R113["/members"]
  R113 --> R113_0["GET /members/current-connect"]
  R113 --> R113_1["POST /members"]
  R113 --> R113_2["PUT /members/{mb_id}/email-certification/change"]
  R113 --> R113_3["PUT /members/{mb_id}/email-certification"]
  R113 --> R113_4["GET /members/me"]
  R113 --> R113_5["POST /members/password_certification"]
  R113 --> R113_6["GET /members/{mb_id}"]
  R113 --> R113_7["POST /members/search/id"]
  API --> R114["/faqs"]
  R114 --> R114_0["GET /faqs"]
  R114 --> R114_1["GET /faqs/{fm_id}"]
  API --> R115["/gr_id"]
  R115 --> R115_0["GET /{gr_id}/boards"]
  API --> R116["/memos"]
  R116 --> R116_0["GET /memos"]
  R116 --> R116_1["GET /memos/{me_id}"]
  R116 --> R116_2["PATCH /memos/{me_id}/read"]
  R116 --> R116_3["POST /memos"]
  R116 --> R116_4["DELETE /memos/{me_id}"]
  API --> R117["/menus"]
  R117 --> R117_0["GET /menus"]
  API --> R118["/newwins"]
  R118 --> R118_0["GET /newwins"]
  API --> R119["/points"]
  R119 --> R119_0["GET /points"]
  API --> R120["/polls"]
  R120 --> R120_0["GET /polls/latest"]
  R120 --> R120_1["GET /polls/{po_id}"]
  R120 --> R120_2["PATCH /polls/{po_id}/{item}"]
  R120 --> R120_3["POST /polls/{po_id}/etc"]
  R120 --> R120_4["DELETE /polls/{po_id}/etc/{pc_id}"]
  API --> R121["/populars"]
  R121 --> R121_0["GET /populars"]
  R121 --> R121_1["POST /populars"]
  R121 --> R121_2["DELETE /populars"]
  API --> R122["/qa"]
  R122 --> R122_0["GET /qa/config"]
  API --> R123["/qas"]
  R123 --> R123_0["GET /qas"]
  R123 --> R123_1["GET /qas/{qa_id}"]
  R123 --> R123_2["POST /qas"]
  R123 --> R123_3["PUT /qas/{qa_id}"]
  R123 --> R123_4["PUT /qas/{qa_id}/files"]
  R123 --> R123_5["GET /qas/{qa_id}/files/{file_index}"]
  R123 --> R123_6["DELETE /qas/{qa_id}"]
  API --> R124["/scraps"]
  R124 --> R124_0["GET /scraps"]
  R124 --> R124_1["GET /scraps/{bo_table}/{wr_id}"]
  R124 --> R124_2["POST /scraps/{bo_table}/{wr_id}"]
  R124 --> R124_3["DELETE /scraps/{ms_id}"]
  API --> R125["/search"]
  R125 --> R125_0["GET /search"]
  R125 --> R125_1["GET /search"]
  API --> R126["/visit"]
  R126 --> R126_0["GET /visit"]
  R126 --> R126_1["POST /visit"]
  API --> R127["/login"]
  R127 --> R127_0["GET /login"]
  R127 --> R127_1["POST /login"]
  API --> R128["/logout"]
  R128 --> R128_0["GET /logout"]
  API --> R129["/password"]
  R129 --> R129_0["GET /password/{action}/{bo_table}/{wr_id}"]
  API --> R130["/password_check"]
  R130 --> R130_0["POST /password_check/{action}/{bo_table}/{wr_id}"]
  API --> R131["/license"]
  R131 --> R131_0["GET /license"]
  API --> R132["/form"]
  R132 --> R132_0["GET /form"]
  R132 --> R132_1["POST /form"]
  API --> R133["/process"]
  R133 --> R133_0["GET /process"]
  API --> R134["/show"]
  R134 --> R134_0["GET /show"]
  R134 --> R134_1["GET /show"]
  API --> R135["/show_template"]
  R135 --> R135_0["GET /show_template"]
  R135 --> R135_1["GET /show_template"]
  API --> R136["/autosave_list"]
  R136 --> R136_0["GET /autosave_list"]
  API --> R137["/autosave_count"]
  R137 --> R137_0["GET /autosave_count"]
  API --> R138["/autosave_load"]
  R138 --> R138_0["GET /autosave_load/{as_id}"]
  API --> R139["/autosave"]
  R139 --> R139_0["POST /autosave"]
  R139 --> R139_1["DELETE /autosave/{as_id}"]
  API --> R140["/good"]
  R140 --> R140_0["POST /good/{bo_table}/{wr_id}/{type}"]
  API --> R141["/group"]
  R141 --> R141_0["GET /group/{gr_id}"]
  API --> R142["/list_delete"]
  R142 --> R142_0["POST /list_delete/{bo_table}"]
  API --> R143["/move"]
  R143 --> R143_0["POST /move/{bo_table}"]
  API --> R144["/move_update"]
  R144 --> R144_0["POST /move_update"]
  API --> R145["/write"]
  R145 --> R145_0["GET /write/{bo_table}"]
  R145 --> R145_1["GET /write/{bo_table}/{wr_id}"]
  API --> R146["/write_update"]
  R146 --> R146_0["POST /write_update/{bo_table}"]
  R146 --> R146_1["POST /write_update/{bo_table}/{wr_id}"]
  API --> R147["/write_comment_update"]
  R147 --> R147_0["POST /write_comment_update/{bo_table}"]
  API --> R148["/delete_comment"]
  R148 --> R148_0["GET /delete_comment/{bo_table}/{comment_id}"]
  API --> R149["/new"]
  R149 --> R149_0["GET /new"]
  API --> R150["/new_delete"]
  R150 --> R150_0["POST /new_delete"]
  API --> R151["/content"]
  R151 --> R151_0["GET /content/{co_id}"]
  API --> R152["/current_connect"]
  R152 --> R152_0["GET /current_connect"]
  API --> R153["/faq"]
  R153 --> R153_0["GET /faq"]
  R153 --> R153_1["GET /faq/{fm_id}"]
  API --> R154["/formmail"]
  R154 --> R154_0["GET /formmail/{mb_id}"]
  API --> R155["/formmail_send"]
  R155 --> R155_0["POST /formmail_send"]
  API --> R156["/id_lost"]
  R156 --> R156_0["GET /id_lost"]
  R156 --> R156_1["POST /id_lost"]
  API --> R157["/password_lost"]
  R157 --> R157_0["GET /password_lost"]
  R157 --> R157_1["POST /password_lost"]
  API --> R158["/password_reset"]
  R158 --> R158_0["GET /password_reset/{mb_id}/{token}"]
  R158 --> R158_1["POST /password_reset/{mb_id}/{token}"]
  API --> R159["/member_leave"]
  R159 --> R159_0["GET /member_leave"]
  R159 --> R159_1["POST /member_leave"]
  API --> R160["/member_confirm"]
  R160 --> R160_0["GET /member_confirm"]
  R160 --> R160_1["POST /member_confirm"]
  API --> R161["/member_profile"]
  R161 --> R161_0["GET /member_profile"]
  R161 --> R161_1["POST /member_profile"]
  API --> R162["/memo_view"]
  R162 --> R162_0["GET /memo_view/{me_id}"]
  API --> R163["/memo_form"]
  R163 --> R163_0["GET /memo_form"]
  API --> R164["/memo_form_update"]
  R164 --> R164_0["POST /memo_form_update"]
  API --> R165["/memo_delete"]
  R165 --> R165_0["GET /memo_delete/{me_id}"]
  API --> R166["/point"]
  R166 --> R166_0["GET /point"]
  API --> R167["/poll_update"]
  R167 --> R167_0["POST /poll_update/{po_id}"]
  API --> R168["/poll_result"]
  R168 --> R168_0["GET /poll_result/{po_id}"]
  API --> R169["/poll"]
  R169 --> R169_0["POST /poll/{po_id}/etc_update"]
  R169 --> R169_1["GET /poll/{po_id}/etc_delete/{pc_id}"]
  API --> R170["/profile"]
  R170 --> R170_0["GET /profile/{mb_id}"]
  API --> R171["/qalist"]
  R171 --> R171_0["GET /qalist"]
  API --> R172["/qawrite"]
  R172 --> R172_0["GET /qawrite"]
  R172 --> R172_1["GET /qawrite/{qa_id}"]
  API --> R173["/qawrite_update"]
  R173 --> R173_0["POST /qawrite_update"]
  API --> R174["/qadelete"]
  R174 --> R174_0["GET /qadelete/{qa_id}"]
  R174 --> R174_1["POST /qadelete/list"]
  API --> R175["/qaview"]
  R175 --> R175_0["GET /qaview/{qa_id}"]
  R175 --> R175_1["GET /qaview/{qa_id}/files/{file_index}"]
  API --> R176["/register"]
  R176 --> R176_0["GET /register"]
  R176 --> R176_1["POST /register"]
  R176 --> R176_2["GET /register/validate/{field}"]
  API --> R177["/register_form"]
  R177 --> R177_0["GET /register_form"]
  R177 --> R177_1["POST /register_form"]
  API --> R178["/register_result"]
  R178 --> R178_0["GET /register_result"]
  API --> R179["/email_certify"]
  R179 --> R179_0["GET /email_certify/update/{mb_id}/{key}"]
  R179 --> R179_1["POST /email_certify/update/{mb_id}/{key}"]
  R179 --> R179_2["GET /email_certify/{mb_id}"]
  API --> R180["/scrap_popin"]
  R180 --> R180_0["GET /scrap_popin/{bo_table}/{wr_id}"]
  API --> R181["/scrap_popin_update"]
  R181 --> R181_0["POST /scrap_popin_update/{bo_table}/{wr_id}"]
  API --> R182["/scrap"]
  R182 --> R182_0["GET /scrap"]
  API --> R183["/scrap_delete"]
  R183 --> R183_0["GET /scrap_delete/{ms_id}"]
  API --> R184["/social"]
  R184 --> R184_0["GET /social/login"]
  R184 --> R184_1["GET /social/login/callback"]
  R184 --> R184_2["GET /social/register"]
  R184 --> R184_3["POST /social/register"]
  API --> R185["/upload"]
  R185 --> R185_0["POST /upload"]
  API --> R186["/generate_token"]
  R186 --> R186_0["POST /generate_token"]
  API --> R187["/device"]
  R187 --> R187_0["GET /device/change/{device}"]

내 코드 이슈 (13건)

직접 작성/수정한 코드에서 발견된 이슈입니다 — 코드 수정으로 해결합니다.

HIGH11
#1HIGHinjectionsql-injectionadmin/admin_boardgroupmember.py:48

SQL 문자열이 연결/보간으로 만들어지는 것으로 보입니다.

query = query.where(getattr(GroupMember, sfl).like(f"%{stx}%"))

문자열로 SQL을 조립하지 말고 파라미터화된 쿼리 또는 바인딩 파라미터를 지원하는 ORM을 사용하세요.

#2HIGHinjectionsql-injectionadmin/admin_mail.py:271

SQL 문자열이 연결/보간으로 만들어지는 것으로 보입니다.

query = query.where(Member.mb_email.like(f"%{mb_email}%"))

문자열로 SQL을 조립하지 말고 파라미터화된 쿼리 또는 바인딩 파라미터를 지원하는 ORM을 사용하세요.

#3HIGHinjectionsql-injectionadmin/admin_theme.py:119

SQL 문자열이 연결/보간으로 만들어지는 것으로 보입니다.

theme_path.insert(0, f"{TEMPLATES}/{select_theme}")

문자열로 SQL을 조립하지 말고 파라미터화된 쿼리 또는 바인딩 파라미터를 지원하는 ORM을 사용하세요.

#4HIGHinjectionsql-injectionadmin/admin_visit.py:54

SQL 문자열이 연결/보간으로 만들어지는 것으로 보입니다.

query = query.where(cast(getattr(Visit, sfl), String).like(f"{stx}%"))

문자열로 SQL을 조립하지 말고 파라미터화된 쿼리 또는 바인딩 파라미터를 지원하는 ORM을 사용하세요.

#5HIGHinjectionsql-injectionadmin/admin_visit.py:56

SQL 문자열이 연결/보간으로 만들어지는 것으로 보입니다.

query = query.where(getattr(Visit, sfl).like(f"%{stx}%"))

문자열로 SQL을 조립하지 말고 파라미터화된 쿼리 또는 바인딩 파라미터를 지원하는 ORM을 사용하세요.

#6HIGHinjectionsql-injectionlib/board_lib.py:610

SQL 문자열이 연결/보간으로 만들어지는 것으로 보입니다.

query = query.where(write_model.wr_reply.like(f"{origin_reply}%"))

문자열로 SQL을 조립하지 말고 파라미터화된 쿼리 또는 바인딩 파라미터를 지원하는 ORM을 사용하세요.

#7HIGHinjectionsql-injectionlib/board_lib.py:622

SQL 문자열이 연결/보간으로 만들어지는 것으로 보입니다.

query = query.where(write_model.wr_comment_reply.like(f"{origin_reply}%"))

문자열로 SQL을 조립하지 말고 파라미터화된 쿼리 또는 바인딩 파라미터를 지원하는 ORM을 사용하세요.

#8HIGHinjectionsql-injectionservice/board/read_post.py:268

SQL 문자열이 연결/보간으로 만들어지는 것으로 보입니다.

query = query.where(getattr(self.write_model, sfl).like(f"%{stx}%"))

문자열로 SQL을 조립하지 말고 파라미터화된 쿼리 또는 바인딩 파라미터를 지원하는 ORM을 사용하세요.

#9HIGHllmllm:Unsafe Deserialization / Code Injectionstatic/plugin/editor/ckeditor4/plugins/uploadimage/plugin.js:105

JSON.parse()가 검증 없이 서버 응답에 직접 적용됩니다. 악의적인 응답이나 MITM 공격 시 프로토타입 오염 또는 임의 코드 실행이 가능합니다.

(LLM review)

JSON.parse() 결과를 엄격히 검증하고, 서버 응답 구조를 화이트리스트로 제한하세요. 또는 안전한 JSON 파싱 라이브러리를 사용하세요.

#10HIGHllmllm:Insecure File Upload / Path Traversalstatic/plugin/editor/ckeditor4/plugins/uploadimage/plugin.js:118

업로드된 파일의 URL(res.url)이 검증 없이 img src에 설정됩니다. 서버에서 반환된 경로가 조작된 경우 SSRF 또는 악의적 콘텐츠 로드가 가능합니다.

(LLM review)

서버에서 반환된 URL을 화이트리스트 도메인으로 검증하거나 상대 경로만 허용하세요. 절대 경로는 Origin 검증을 수행하세요.

#11HIGHllmllm:Missing CSRF Protectionstatic/plugin/editor/ckeditor4/plugins/uploadimage/plugin.js:35

fileTools.getUploadUrl()로 얻은 업로드 URL에 CSRF 토큰이 포함되는지 확인할 수 없습니다. 설정된 uploadUrl이 CSRF 보호 없이 요청될 수 있습니다.

(LLM review)

Django의 CSRF 미들웨어와 통합되어 있는지 확인하세요. POST 요청에 csrftoken을 포함하고, 서버에서 CSRF 검증을 수행하세요.

MEDIUM2
#12MEDIUMllmllm:DOM-based XSSstatic/plugin/editor/ckeditor4/plugins/uploadimage/plugin.js:118

res.url 값이 동적으로 HTML 문자열에 삽입됩니다('src="' + res.url + '"'). 서버가 악의적 문자열(예: javascript: URI)을 반환하면 XSS 가능성이 있습니다.

(LLM review)

이미지 URL을 DOM API(setAttribute, src 직접 설정)로 안전하게 설정하고, 프로토콜을 http/https로만 제한하세요.

#13MEDIUMllmllm:Information Disclosurestatic/plugin/editor/ckeditor4/plugins/uploadimage/plugin.js:105

JSON.parse(xhr.responseText) 실패 시 예외 처리가 없어 브라우저 콘솔에 민감한 정보가 노출될 수 있습니다.

(LLM review)

try-catch 블록으로 JSON 파싱을 감싸고, 에러를 안전하게 처리하세요.

내 저장소도 이렇게 스캔해 보세요

가입 없이 첫 스캔은 무료입니다.

지금 스캔하기