Upgrade to Pro — share decks privately, control downloads, hide ads and more …

その正規表現、異議あり! 〜 ReDoSについて

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for Shu OGAWARA Shu OGAWARA
April 24, 2019
Technology
6.3k
2

その正規表現、異議あり! 〜 ReDoSについて

2019/04/24の銀座Rails#8での発表資料です。
スライド中で紹介している拙作gemはこちら https://github.com/expajp/reredos

Avatar for Shu OGAWARA

Shu OGAWARA

April 24, 2019

More Decks by Shu OGAWARA

See All by Shu OGAWARA
人生を変えた一冊「独学大全」のはなし / Self-study ENCYCLOPEDIA: The Book Which Change My Life #独学大全 #EM推し本
Avatar for Shu OGAWARA expajp
0
140
あなたの知らないDateのひみつ / The Secret of "Date" You Haven't known #tqrk16
Avatar for Shu OGAWARA expajp
0
150
入門 FormObject / An Introduction to FormObject #kaigionrails
Avatar for Shu OGAWARA expajp
2
6.5k
あなたの「仮説検証」、ゆがんでいませんか? / Isn't Your "Hypothesis Verification" Distorted? #emoasis
Avatar for Shu OGAWARA expajp
2
540
Rubyはなぜ「たのしい」のか? / Why is Ruby a programmers' best friend? #tqrk15
Avatar for Shu OGAWARA expajp
5
2.1k
エンジニアリングマネージャーはどう学んでいくのか #devsumi / How Do Engineering Managers Continue to Learn and Grow?
Avatar for Shu OGAWARA expajp
9
5.7k
RubyKaigi参加歴をふりかえる / Looking Back on My RubyKaigi Participation History #kaigieffectLT
Avatar for Shu OGAWARA expajp
3
610
わたしのメタ学習 / My Own Meta Learning #shinjukurb
Avatar for Shu OGAWARA expajp
0
510
ActiveSupport::Concernで開くメタプログラミングの扉 #heiseirubykaigi / The door of meta-programing is opened by ActiveSupport::Concern
Avatar for Shu OGAWARA expajp
1
2.4k

Other Decks in Technology

See All in Technology
会社紹介資料 / Sansan Company Profile
Avatar for Sansan, Inc. sansan33
PRO
16
410k
OpenClaw初心者向けセミナー / OpenClaw Beginner Seminar
Avatar for hiranofumio cmhiranofumio
0
310
スクラムを支える内部品質の話
Avatar for IIJ_PR iij_pr
0
260
GitHub Advanced Security × Defender for Cloudで開発とSecOpsのサイロを超える: コードとクラウドをつなぐ、開発プラットフォームのセキュリティ
Avatar for yuriemori yuriemori
1
130
バックオフィスPJのPjMをコーポレートITが担うとうまくいく3つの理由
Avatar for chama yueda256
1
270
15年メンテしてきたdotfilesから開発トレンドを振り返る 2011 - 2026
Avatar for giginet giginet
PRO
2
280
20260326_AIDD事例紹介_ULSC.pdf
Avatar for ファインディ株式会社(イベント資料アップ用) findy_eventslides
0
520
マルチモーダル非構造データとの闘い
Avatar for shibuiwilliam shibuiwilliam
1
180
Embeddings : Symfony AI en pratique
Avatar for Grégoire Pineau lyrixx
0
460
Microsoft Fabricで考える非構造データのAI活用
Avatar for Ryoma Nagata ryomaru0825
0
650
Tour of Agent Protocols: MCP, A2A, AG-UI, A2UI with ADK
Avatar for Mete Atamel meteatamel
0
200
レガシーシステムをどう次世代に受け継ぐか
Avatar for 立入 tachiiri
0
260

Featured

See All Featured
DevOps and Value Stream Thinking: Enabling flow, efficiency and business value
Avatar for Helen Beal helenjbeal
1
160
How GitHub (no longer) Works
Avatar for Zach Holman holman
316
150k
For a Future-Friendly Web
Avatar for Brad Frost brad_frost
183
10k
How to Grow Your eCommerce with AI & Automation
Avatar for Katarina Dahlin katarinadahlin
PRO
1
160
Building a Scalable Design System with Sketch
Avatar for Laura Van Doore lauravandoore
463
34k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
Avatar for panda_program panda_program
122
21k
Building Adaptive Systems
Avatar for Chris Keathley keathley
44
3k
The Power of CSS Pseudo Elements
Avatar for Geoffrey Crofte geoffreycrofte
82
6.2k
How To Speak Unicorn (iThemes Webinar)
Avatar for Michelle Schulp Hunt marktimemedia
1
420
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
42
3k
Bash Introduction
Avatar for André Augusto Costa Santos 62gerente
615
210k
Claude Code どこまでも/ Claude Code Everywhere
Avatar for nwiizo nwiizo
64
54k

Transcript

  1. ͦͷਖ਼نදݱɺҟٞ͋Γʂ ʙ ReDoSʹ͍ͭͯ Shu OGAWARA(@expajp) 2019/04/24 ۜ࠲Rails #8

  2. ਖ਼نදݱ࢖ͬͯ·͔͢ʁ

  3. ϝΞυͷόϦσʔγϣϯʹ ਖ਼نදݱΛ࢖͍ͬͯΔਓ

  4. ͦΕ͸΋͔ͯ͜͠͠ΜͳͷͰ͸ʁ 2019/04/24 4

  5. ໰୊ͳͦ͞͏ 2019/04/24 5

  6. ग़యɿχίχɾίϞϯζ http://commons.nicovideo.jp/material/nc38409

  7. ͜ͷਖ਼نදݱʹ͸ɺ ੬ऑੑ͕͋Δ

  8. ࣮ࡍʹ͝ཡ͍ͩ͘͞

  9. ςετεΫϦϓτ 2019/04/24 9 ग़యɿਖ਼نදݱͰͷϝʔϧΞυϨενΣοΫ͸ݟ௚͢΂͖ – ReDoS – yohgaki's blog https://blog.ohgaki.net/redos-must-review-mail-address-validation

  10. ࣮ߦ݁Ռ 2019/04/24 10

  11. ݪҼ • ਖ਼نදݱΤϯδϯʹѱຐͷূ໌Λ΍Β͍ͤͯΔ • ʮ೚ҙ௕ͷจࣈྻʯදݱ͕ଓ͘ͱ ੾Ε໨͕Θ͔Βͳ͍ͷͰɺશύλʔϯΛௐ΂Δ – શύλʔϯΛௐ΂ͳ͍ͱ Ϛον͠ͳ͍͜ͱ͸֬ఆͰ͖ͳ͍ –

    ૊Έ߹Θ͕ͤരൃ͍ͯ͠Δ 2019/04/24 11

  12. ࣮ࡍʹ૊Έ߹Θ͕ͤ രൃ͍ͯ͠Δ༷ࢠΛ ͝ཡ͍ͩ͘͞

  13. ؆୯ͷͨΊ • ݟͤΔͷ͸͜ͷ෦෼ͷνΣοΫͷΈ 2019/04/24 13

  14. ૊Έ߹Θͤരൃ • host. ·ͰϚονͯ͠ɺ࣍ 2019/04/24 14

  15. ૊Έ߹Θͤരൃ • . (υοτ) ·ͰϚον͕ͨ͠ 2019/04/24 15

  16. ૊Έ߹Θͤരൃ • ͦͷޙΖ͕ҧ͏ͷͰ໭Δ 2019/04/24 16

  17. ૊Έ߹Θͤരൃ • ΍ͬͺΓҧ͏ͷͰ1ͭ໭ΔɺΛ܁Γฦ͠ 2019/04/24 17

  18. ૊Έ߹Θͤരൃ • ͜͜·Ͱ໭Δ 2019/04/24 18

  19. ૊Έ߹Θͤരൃ • ࠷ޙ·Ͱ໭ͬͯ΋ɺ΍ͬͺΓϚον͠ͳ͍ 2019/04/24 19

  20. ૊Έ߹Θͤരൃ • * Λ0ճͱղऍͯ࣍͠Λௐ΂Δ 2019/04/24 20

  21. ૊Έ߹Θͤരൃ • ΍ͬͺΓϚον͠ͳ͍ͷͰ1ͭͣͭޙΖʹ 2019/04/24 21

  22. ૊Έ߹Θͤരൃ • 1ݸͣͭ໭ͬͯ΍ͬͱϚον͠ͳ͍ͷ͕֬ఆ 2019/04/24 22

  23. ͜Ε͕ԿΛҙຯ͢Δ͔ʁ

  24. ԿΛҙຯ͢Δ͔ • ௚લ·ͰҰகͯ͠ɺ ࠷ޙͷ1จࣈ͚ͩϚον͠ͳ͍จࣈྻΛ ϝʔϧΞυϨεཝʹ์ΓࠐΉ͚ͩͰ DoS߈ܸ͕Ͱ͖Δ 2019/04/24 24

  25. DoS߈ܸ • Ϧιʔεʹҙਤతʹա৒ͳෛՙΛ͔͚ͨΓ ੬ऑੑΛ͍ͭͨΓ͢ΔࣄͰ αʔϏεΛ๦֐͢Δ߈ܸख๏ͷ͜ͱ – F5ΞλοΫͱ͔ • ਖ਼نදݱΛ࢖ͬͨDoS͸ReDoSͱݺ͹ΕΔ 2019/04/24

    25

  26. ͞Βʹ൵͍͜͠ͱʹɺ ϝΞυͷ௕͞Ͱ஄͚ͳ͍

  27. ࣮ߦ݁Ռ 2019/04/24 27

  28. ϝʔϧΞυϨεͷఆٛ • RFC1035, 5321ΑΓ – ϝʔϧΞυϨεશମ͸256จࣈҎ಺ – Ϣʔβ໊ʢ@ͷલʣ͸64จࣈҎ಺ – υϝΠϯ͸255จࣈҎ಺

    – υϝΠϯͷϥϕϧ͸63จࣈҎ಺ • test.example.com <- ྫ͑͹͜͜ – ଞɺ࢖͑Δจࣈ΋ܾ·͍ͬͯΔ 2019/04/24 28

  29. Ͳ͏͢Ε͹Α͍ͷ͔ʁ

  30. จࣈྻΛ۠੾ͬͯ୹͘͠ γϯϓϧͳਖ਼نදݱͰ൑ఆ

  31. ͱ͸͍͑ɺ ͍͍࣮ͪͪ૷͢Δͷ͸໘౗

  32. ͱ͍͏Θ͚Ͱ (FNΛ࡞Γ·ͨ͠

  33. reredos 2019/04/24 33

  34. reredos • ReDoSʹڧ͍ϝΞυͷόϦσʔγϣϯΛߦ͍ɺ true/false Ͱฦ͢γϯϓϧͳgem • ࠓޙͷ༧ఆ – ଘࡏ͠ͳ͍TLDΛ஄͘ –

    URLʹରԠ͢Δ • PR͓଴ͪͯ͠·͢ 2019/04/24 34

  35. ·ͱΊ • ਖ਼نදݱͰDoS߈ܸΛ͔͚Δख๏͕͋Δ – ReDoSͱ͍͏ • ෳࡶͳਖ਼نදݱ͸ආ͚Δ΂͖ – ࢓༷ΛͪΌΜͱಡΜͰɺ୹͍୯ҐͰνΣοΫΛ͢ Δ͜ͱΛ৺͕͚Α͏

    • ϝΞυͰόϦσʔγϣϯ͔͚ΔgemΛ࡞ͬͨ 2019/04/24 35

  36. ฏ੒͕ऴΘΔલʹରԠ͠Α͏

  37. ࣗݾ঺հ • Shu OGAWARA (@expajp ) – ϦϯΧʔζגࣜձࣾ – Ruby/Railsྺ2೥ऑ

    – ग़਎͸ௗऔɺେֶ͸ਆށ – झຯ͸ΫϥγοΫܥͷ߹এ 2019/04/24 37