Upgrade to Pro — share decks privately, control downloads, hide ads and more …

その正規表現、異議あり! 〜 ReDoSについて

Avatar for Shu OGAWARA Shu OGAWARA
April 24, 2019
Technology
2
6.2k

その正規表現、異議あり! 〜 ReDoSについて

2019/04/24の銀座Rails#8での発表資料です。
スライド中で紹介している拙作gemはこちら https://github.com/expajp/reredos

Avatar for Shu OGAWARA

Shu OGAWARA

April 24, 2019
Tweet

More Decks by Shu OGAWARA

See All by Shu OGAWARA
あなたの知らないDateのひみつ / The Secret of "Date" You Haven't known #tqrk16
Avatar for Shu OGAWARA expajp
0
140
入門 FormObject / An Introduction to FormObject #kaigionrails
Avatar for Shu OGAWARA expajp
2
5.7k
あなたの「仮説検証」、ゆがんでいませんか? / Isn't Your "Hypothesis Verification" Distorted? #emoasis
Avatar for Shu OGAWARA expajp
2
450
Rubyはなぜ「たのしい」のか? / Why is Ruby a programmers' best friend? #tqrk15
Avatar for Shu OGAWARA expajp
5
2.1k
エンジニアリングマネージャーはどう学んでいくのか #devsumi / How Do Engineering Managers Continue to Learn and Grow?
Avatar for Shu OGAWARA expajp
9
5.6k
RubyKaigi参加歴をふりかえる / Looking Back on My RubyKaigi Participation History #kaigieffectLT
Avatar for Shu OGAWARA expajp
3
560
わたしのメタ学習 / My Own Meta Learning #shinjukurb
Avatar for Shu OGAWARA expajp
0
500
ActiveSupport::Concernで開くメタプログラミングの扉 #heiseirubykaigi / The door of meta-programing is opened by ActiveSupport::Concern
Avatar for Shu OGAWARA expajp
1
2.4k
実践Railsアプリケーション設計 #meetup_rails / Practical Rails Application Design
Avatar for Shu OGAWARA expajp
4
40k

Other Decks in Technology

See All in Technology
Cosmos World Foundation Model Platform for Physical AI
Avatar for Takuya MINAGAWA takmin
0
980
Cloud Runでコロプラが挑む 生成AI×ゲーム『神魔狩りのツクヨミ』の裏側
Avatar for COLOPL Inc. colopl
0
150
(技術的には)社内システムもOKなブラウザエージェントを作ってみた!
Avatar for Har1101 har1101
0
330
量子クラウドサービスの裏側 〜Deep Dive into OQTOPUS〜
Avatar for OQTOPUS oqtopus
0
150
Context Engineeringが企業で不可欠になる理由
Avatar for Hirosato Gamo hirosatogamo
PRO
3
680
配列に見る bash と zsh の違い
Avatar for kazzpapa3 kazzpapa3
3
170
Greatest Disaster Hits in Web Performance
Avatar for Estela Franco guaca
0
300
Agent Skils
Avatar for ディップ株式会社 dip_tech
PRO
0
140
制約が導く迷わない設計 〜 信頼性と運用性を両立するマイナンバー管理システムの実践 〜
Avatar for ないとー bwkw
3
1.1k
プロポーザルに込める段取り八分
Avatar for ShoheiMitani shoheimitani
1
670
Context Engineeringの取り組み
Avatar for nutslove nutslove
0
380
こんなところでも(地味に)活躍するImage Modeさんを知ってるかい?- Image Mode for OpenShift -
Avatar for Masataka Tsukamoto tsukaman
1
170

Featured

See All Featured
Chasing Engaging Ingredients in Design
Avatar for Sebastian Deterding codingconduct
0
120
AI Search:
Where Are We & What Can We Do About It?
Avatar for Aleyda Solis aleyda
0
7k
Leading Effective Engineering Teams in the AI Era
Avatar for Addy Osmani addyosmani
9
1.6k
Getting science done with accelerated Python computing platforms
Avatar for Jacob Tomlinson jacobtomlinson
2
120
So, you think you're a good person
Avatar for Per Axbom axbom
PRO
2
1.9k
The Psychology of Web Performance [Beyond Tellerrand 2023]
Avatar for Tammy Everts tammyeverts
49
3.3k
Building Applications with DynamoDB
Avatar for Matt Wood mza
96
6.9k
What's in a price? How to price your products and services
Avatar for Michael Herold michaelherold
247
13k
How to train your dragon (web standard)
Avatar for Monica Dinculescu notwaldorf
97
6.5k
Leveraging Curiosity to Care for An Aging Population
Avatar for Cassini Nazir cassininazir
1
170
Designing for Timeless Needs
Avatar for Cassini Nazir cassininazir
0
130
Visualization
Avatar for Eitan Lees eitanlees
150
17k

Transcript

  1. ͦͷਖ਼نදݱɺҟٞ͋Γʂ ʙ ReDoSʹ͍ͭͯ Shu OGAWARA(@expajp) 2019/04/24 ۜ࠲Rails #8

  2. ਖ਼نදݱ࢖ͬͯ·͔͢ʁ

  3. ϝΞυͷόϦσʔγϣϯʹ ਖ਼نදݱΛ࢖͍ͬͯΔਓ

  4. ͦΕ͸΋͔ͯ͜͠͠ΜͳͷͰ͸ʁ 2019/04/24 4

  5. ໰୊ͳͦ͞͏ 2019/04/24 5

  6. ग़యɿχίχɾίϞϯζ http://commons.nicovideo.jp/material/nc38409

  7. ͜ͷਖ਼نදݱʹ͸ɺ ੬ऑੑ͕͋Δ

  8. ࣮ࡍʹ͝ཡ͍ͩ͘͞

  9. ςετεΫϦϓτ 2019/04/24 9 ग़యɿਖ਼نදݱͰͷϝʔϧΞυϨενΣοΫ͸ݟ௚͢΂͖ – ReDoS – yohgaki's blog https://blog.ohgaki.net/redos-must-review-mail-address-validation

  10. ࣮ߦ݁Ռ 2019/04/24 10

  11. ݪҼ • ਖ਼نදݱΤϯδϯʹѱຐͷূ໌Λ΍Β͍ͤͯΔ • ʮ೚ҙ௕ͷจࣈྻʯදݱ͕ଓ͘ͱ ੾Ε໨͕Θ͔Βͳ͍ͷͰɺશύλʔϯΛௐ΂Δ – શύλʔϯΛௐ΂ͳ͍ͱ Ϛον͠ͳ͍͜ͱ͸֬ఆͰ͖ͳ͍ –

    ૊Έ߹Θ͕ͤരൃ͍ͯ͠Δ 2019/04/24 11

  12. ࣮ࡍʹ૊Έ߹Θ͕ͤ രൃ͍ͯ͠Δ༷ࢠΛ ͝ཡ͍ͩ͘͞

  13. ؆୯ͷͨΊ • ݟͤΔͷ͸͜ͷ෦෼ͷνΣοΫͷΈ 2019/04/24 13

  14. ૊Έ߹Θͤരൃ • host. ·ͰϚονͯ͠ɺ࣍ 2019/04/24 14

  15. ૊Έ߹Θͤരൃ • . (υοτ) ·ͰϚον͕ͨ͠ 2019/04/24 15

  16. ૊Έ߹Θͤരൃ • ͦͷޙΖ͕ҧ͏ͷͰ໭Δ 2019/04/24 16

  17. ૊Έ߹Θͤരൃ • ΍ͬͺΓҧ͏ͷͰ1ͭ໭ΔɺΛ܁Γฦ͠ 2019/04/24 17

  18. ૊Έ߹Θͤരൃ • ͜͜·Ͱ໭Δ 2019/04/24 18

  19. ૊Έ߹Θͤരൃ • ࠷ޙ·Ͱ໭ͬͯ΋ɺ΍ͬͺΓϚον͠ͳ͍ 2019/04/24 19

  20. ૊Έ߹Θͤരൃ • * Λ0ճͱղऍͯ࣍͠Λௐ΂Δ 2019/04/24 20

  21. ૊Έ߹Θͤരൃ • ΍ͬͺΓϚον͠ͳ͍ͷͰ1ͭͣͭޙΖʹ 2019/04/24 21

  22. ૊Έ߹Θͤരൃ • 1ݸͣͭ໭ͬͯ΍ͬͱϚον͠ͳ͍ͷ͕֬ఆ 2019/04/24 22

  23. ͜Ε͕ԿΛҙຯ͢Δ͔ʁ

  24. ԿΛҙຯ͢Δ͔ • ௚લ·ͰҰகͯ͠ɺ ࠷ޙͷ1จࣈ͚ͩϚον͠ͳ͍จࣈྻΛ ϝʔϧΞυϨεཝʹ์ΓࠐΉ͚ͩͰ DoS߈ܸ͕Ͱ͖Δ 2019/04/24 24

  25. DoS߈ܸ • Ϧιʔεʹҙਤతʹա৒ͳෛՙΛ͔͚ͨΓ ੬ऑੑΛ͍ͭͨΓ͢ΔࣄͰ αʔϏεΛ๦֐͢Δ߈ܸख๏ͷ͜ͱ – F5ΞλοΫͱ͔ • ਖ਼نදݱΛ࢖ͬͨDoS͸ReDoSͱݺ͹ΕΔ 2019/04/24

    25

  26. ͞Βʹ൵͍͜͠ͱʹɺ ϝΞυͷ௕͞Ͱ஄͚ͳ͍

  27. ࣮ߦ݁Ռ 2019/04/24 27

  28. ϝʔϧΞυϨεͷఆٛ • RFC1035, 5321ΑΓ – ϝʔϧΞυϨεશମ͸256จࣈҎ಺ – Ϣʔβ໊ʢ@ͷલʣ͸64จࣈҎ಺ – υϝΠϯ͸255จࣈҎ಺

    – υϝΠϯͷϥϕϧ͸63จࣈҎ಺ • test.example.com <- ྫ͑͹͜͜ – ଞɺ࢖͑Δจࣈ΋ܾ·͍ͬͯΔ 2019/04/24 28

  29. Ͳ͏͢Ε͹Α͍ͷ͔ʁ

  30. จࣈྻΛ۠੾ͬͯ୹͘͠ γϯϓϧͳਖ਼نදݱͰ൑ఆ

  31. ͱ͸͍͑ɺ ͍͍࣮ͪͪ૷͢Δͷ͸໘౗

  32. ͱ͍͏Θ͚Ͱ (FNΛ࡞Γ·ͨ͠

  33. reredos 2019/04/24 33

  34. reredos • ReDoSʹڧ͍ϝΞυͷόϦσʔγϣϯΛߦ͍ɺ true/false Ͱฦ͢γϯϓϧͳgem • ࠓޙͷ༧ఆ – ଘࡏ͠ͳ͍TLDΛ஄͘ –

    URLʹରԠ͢Δ • PR͓଴ͪͯ͠·͢ 2019/04/24 34

  35. ·ͱΊ • ਖ਼نදݱͰDoS߈ܸΛ͔͚Δख๏͕͋Δ – ReDoSͱ͍͏ • ෳࡶͳਖ਼نදݱ͸ආ͚Δ΂͖ – ࢓༷ΛͪΌΜͱಡΜͰɺ୹͍୯ҐͰνΣοΫΛ͢ Δ͜ͱΛ৺͕͚Α͏

    • ϝΞυͰόϦσʔγϣϯ͔͚ΔgemΛ࡞ͬͨ 2019/04/24 35

  36. ฏ੒͕ऴΘΔલʹରԠ͠Α͏

  37. ࣗݾ঺հ • Shu OGAWARA (@expajp ) – ϦϯΧʔζגࣜձࣾ – Ruby/Railsྺ2೥ऑ

    – ग़਎͸ௗऔɺେֶ͸ਆށ – झຯ͸ΫϥγοΫܥͷ߹এ 2019/04/24 37