Upgrade to Pro — share decks privately, control downloads, hide ads and more …

reading rails security guide

Hazumi Ichijo
July 29, 2018
Programming
0
410

reading rails security guide

https://railsguides.jp/security.html を読んでみた話です。
セキュリティガイドの中からピックアップして紹介します。
https://tokyurubykaigi.github.io/tokyu12/ で発表しました。

Hazumi Ichijo

July 29, 2018
Tweet

More Decks by Hazumi Ichijo

See All by Hazumi Ichijo
Rubyのコード削除したい時 僕がやること
hazumirr
0
160
テーブル駆動テストと状態
hazumirr
4
1.9k
オンラインテストしようと思った その日に開始できる環境を目指して
hazumirr
0
900
推薦によるプロダクト改善とマイクロサービスが噛み合った話
hazumirr
2
3.9k
ChatGPTで僕が知っていることまとめ
hazumirr
3
3k
プロダクトチームとどう 協業し分析環境を改善するか
hazumirr
2
1.4k
bqv速習会
hazumirr
6
6.6k
Protobuf on Rails Tips
hazumirr
1
910
Before Chaos Engineering
hazumirr
1
770

Other Decks in Programming

See All in Programming
OnlineTestConf: Test Automation Friend or Foe
maaretp
0
110
A Journey of Contribution and Collaboration in Open Source
ivargrimstad
0
890
Pinia Colada が実現するスマートな非同期処理
naokihaba
4
220
LLM生成文章の精度評価自動化とプロンプトチューニングの効率化について
layerx
PRO
2
190
OSSで起業してもうすぐ10年 / Open Source Conference 2024 Shimane
furukawayasuto
0
100
ローコードSaaSのUXを向上させるためのTypeScript
taro28
1
610
『ドメイン駆動設計をはじめよう』のモデリングアプローチ
masuda220
PRO
8
540
.NET のための通信フレームワーク MagicOnion 入門 / Introduction to MagicOnion
mayuki
1
1.4k
PHP でアセンブリ言語のように書く技術
memory1994
PRO
1
170
3rd party scriptでもReactを使いたい! Preact + Reactのハイブリッド開発
righttouch
PRO
1
600
Hotwire or React? ~アフタートーク・本編に含めなかった話~ / Hotwire or React? after talk
harunatsujita
1
120
Kaigi on Rails 2024 〜運営の裏側〜
krpk1900
1
200

Featured

See All Featured
Designing for humans not robots
tammielis
250
25k
Typedesign – Prime Four
hannesfritz
40
2.4k
We Have a Design System, Now What?
morganepeng
50
7.2k
GraphQLとの向き合い方2022年版
quramy
43
13k
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
370
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
It's Worth the Effort
3n
183
27k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
Rails Girls Zürich Keynote
gr2m
94
13k

Transcript

  1. ©2018 Wantedly, Inc. RailsηΩϡϦςΟΨΠυΛ վΊͯಡΜͰΈͨ 29.July.2018 - Hazumi Ichijo (@rerost)

    ৽ଔΤϯδχΞ͕վΊͯಡΜͰΈͯ

  2. ©2018 Wantedly, Inc. ࣗݾ঺հ Ұᑍ୺੅ (Twitter: @hazumirr, Github: @rerost) Web

    Application Engineer Rails, React, … ۴࿏ߴઐ -> ஜ೾େֶ -> Wantedly

  3. ©2018 Wantedly, Inc. Page Subtitle https://railsguides.jp/security.html

  4. ©2018 Wantedly, Inc. 1. ීஈ͔ΒؾΛ͚͍ͭͨ͜ͱ • ϦμΠϨΫτ • ਖ਼نදݱ •

    nilνΣοΫෆ଍ • XSS ͳͲ 2. ࣄલʹ๷͍Ͱ͓͖͍ͨ෦෼ • ηογϣϯݻఆ߈ܸ • CSRF ͳͲ RailsηΩϡϦςΟΨΠυ

  5. ©2018 Wantedly, Inc. 1. ීஈ͔ΒؾΛ͚͍ͭͨ͜ͱ • ϦμΠϨΫτ • ਖ਼نදݱ •

    nilνΣοΫෆ଍ • XSS ͳͲ 2. ࣄલʹ๷͍Ͱ͓͖͍ͨ෦෼ • ηογϣϯݻఆ߈ܸ • CSRF ͳͲ RailsηΩϡϦςΟΨΠυ ࠓ೔͸ͬͪ͜

  6. ©2018 Wantedly, Inc. ͜ͷίʔυʹ͸໰୊͕͋Δʂ def legacy redirect_to(params.update(action:'main')) end https://railsguides.jp/security.html#ϦμΠϨΫτ

  7. ©2018 Wantedly, Inc. ϦμΠϨΫτ def legacy redirect_to(params.update(action:'main')) end http://www.example.com/site/legacy? param1=xy&param2=23&host=www.attacker.com

    https://railsguides.jp/security.html#ϦμΠϨΫτ

  8. ©2018 Wantedly, Inc. ϦμΠϨΫτ def legacy redirect_to(params.update(action:'main')) end https://railsguides.jp/security.html#ϦμΠϨΫτ ࣗ༝ʹϦμΠϨΫτͰ͖ͯ͠·͏

  9. ©2018 Wantedly, Inc. ͜ͷίʔυʹ͸໰୊͕͋Δʂ def url?(url) !url.match(/^https?:\/\/[^\n]+$/i).nil? end https://railsguides.jp/security.html#ਖ਼نදݱ

  10. ©2018 Wantedly, Inc. ਖ਼نදݱ def url?(url) !url.match(/^https?:\/\/[^\n]+$/i).nil? end irb(main):004:0> url?("https://example.com")

    => true irb(main):005:0> url?(" irb(main):006:1" hogehoge irb(main):007:1" https://example.com irb(main):008:1" ") => true https://railsguides.jp/security.html#ਖ਼نදݱ

  11. ©2018 Wantedly, Inc. ਖ਼نදݱ def url?(url) !url.match(/\Ahttps?:\/\/[^\n]+\z/i).nil? end https://railsguides.jp/security.html#ਖ਼نදݱ ^,

    $͸৔߹ʹΑͬͯةݥ

  12. ©2018 Wantedly, Inc. ͜ͷίʔυʹ͸໰୊͕͋Δʂ class UsersController < ApplicationController def activate

    user = User.find_by(activation_code: params[:code]) user.activate end end https://railsguides.jp/security.html#Ϣʔβʔ؅ཧ

  13. ©2018 Wantedly, Inc. nil νΣοΫෆ଍ class UsersController < ApplicationController def

    activate user = User.find_by(activation_code: params[:code]) user.activate end end http://localhost:3000/users/activate?code=

  14. ©2018 Wantedly, Inc. nil νΣοΫෆ଍ http://localhost:3000/users/activate?code= class UsersController < ApplicationController

    def activate user = User.find_by(activation_code: params[:code]) user.activate end end SELECT * FROM users WHERE (users.activation_code IS NULL) LIMIT 1 https://railsguides.jp/security.html#Ϣʔβʔ؅ཧ

  15. ©2018 Wantedly, Inc. ͜ͷίʔυʹ͸໰୊͕͋Δʂ hoge.html.erb hoge.html.haml <%= user_name %> =

    user_name _.template(`\ <%= user_name %> `) hoge.js (_ = underscore.js)

  16. ©2018 Wantedly, Inc. ͜ͷίʔυʹ͸໰୊͕͋Δʂ hoge.html.erb hoge.html.haml <%= user_name %> =

    user_name _.template(`\ <%= user_name %> `) hoge.js (_ = underscore.js) Τεέʔϓͳ͠ʢ<%-͕ྑ͍ʣ

  17. ©2018 Wantedly, Inc. ͜ͷίʔυʹ͸໰୊͕͋Δʂ ja.yml hoge.html.haml hoge.js ja: foo_html: “͜Μʹͪ͸<br

    />%{user_name}“ = t(“foo_html", user_name: “<script>alert(‘XSS’)</script>”) I18n.t(“foo_html", {user_name: “<script>alert(‘XSS')</script>"})

  18. ©2018 Wantedly, Inc. XSS(i18n-js) ja.yml hoge.html.haml hoge.js ͜Μʹͪ͸<br />&lt;script&gt;alert(‘XSS&#39;)&lt;/script&gt; ͜Μʹͪ͸<br

    /><script>alert('XSS')</script> ja: foo_html: “͜Μʹͪ͸<br />%{user_name}“

  19. ©2018 Wantedly, Inc. XSS(i18n-js) https://railsguides.jp/i18n.html#҆શͳhtmlม׵

  20. ©2018 Wantedly, Inc. XSS(i18n-js) https://github.com/fnando/i18n-js/issues/485

  21. ©2018 Wantedly, Inc. XSS(i18n-js) https://github.com/fnando/i18n-js/issues/485

  22. ©2018 Wantedly, Inc. •ࣗ෼͕΍Γ͔Ͷͳ͍෦෼͕ଟ͔ͬͨ •๨Ε͕ͪͳ͜ͱ͕͋ΔͷͰఆظతʹ
 ηΩϡϦςΟΨΠυΛಡΈ͍ͨ ·ͱΊ