reading rails security guide

Transcript

1. ©2018 Wantedly, Inc. RailsηΩϡϦςΟΨΠυΛ վΊͯಡΜͰΈͨ 29.July.2018 - Hazumi Ichijo (@rerost)

   ৽ଔΤϯδχΞ͕վΊͯಡΜͰΈͯ

2. ©2018 Wantedly, Inc. ࣗݾ঺հ Ұᑍ୺੅ (Twitter: @hazumirr, Github: @rerost) Web

   Application Engineer Rails, React, … ۴࿏ߴઐ -> ஜ೾େֶ -> Wantedly

3. ©2018 Wantedly, Inc. Page Subtitle https://railsguides.jp/security.html

4. ©2018 Wantedly, Inc. 1. ීஈ͔ΒؾΛ͚͍ͭͨ͜ͱ • ϦμΠϨΫτ • ਖ਼نදݱ •

   nilνΣοΫෆ଍ • XSS ͳͲ 2. ࣄલʹ๷͍Ͱ͓͖͍ͨ෦෼ • ηογϣϯݻఆ߈ܸ • CSRF ͳͲ RailsηΩϡϦςΟΨΠυ

5. ©2018 Wantedly, Inc. 1. ීஈ͔ΒؾΛ͚͍ͭͨ͜ͱ • ϦμΠϨΫτ • ਖ਼نදݱ •

   nilνΣοΫෆ଍ • XSS ͳͲ 2. ࣄલʹ๷͍Ͱ͓͖͍ͨ෦෼ • ηογϣϯݻఆ߈ܸ • CSRF ͳͲ RailsηΩϡϦςΟΨΠυ ࠓ೔͸ͬͪ͜

6. ©2018 Wantedly, Inc. ͜ͷίʔυʹ͸໰୊͕͋Δʂ def legacy redirect_to(params.update(action:'main')) end https://railsguides.jp/security.html#ϦμΠϨΫτ

7. ©2018 Wantedly, Inc. ϦμΠϨΫτ def legacy redirect_to(params.update(action:'main')) end http://www.example.com/site/legacy? param1=xy&param2=23&host=www.attacker.com

   https://railsguides.jp/security.html#ϦμΠϨΫτ

8. ©2018 Wantedly, Inc. ϦμΠϨΫτ def legacy redirect_to(params.update(action:'main')) end https://railsguides.jp/security.html#ϦμΠϨΫτ ࣗ༝ʹϦμΠϨΫτͰ͖ͯ͠·͏

9. ©2018 Wantedly, Inc. ͜ͷίʔυʹ͸໰୊͕͋Δʂ def url?(url) !url.match(/^https?:\/\/[^\n]+$/i).nil? end https://railsguides.jp/security.html#ਖ਼نදݱ

10. ©2018 Wantedly, Inc. ਖ਼نදݱ def url?(url) !url.match(/^https?:\/\/[^\n]+$/i).nil? end irb(main):004:0> url?("https://example.com")

    => true irb(main):005:0> url?(" irb(main):006:1" hogehoge irb(main):007:1" https://example.com irb(main):008:1" ") => true https://railsguides.jp/security.html#ਖ਼نදݱ

11. ©2018 Wantedly, Inc. ਖ਼نදݱ def url?(url) !url.match(/\Ahttps?:\/\/[^\n]+\z/i).nil? end https://railsguides.jp/security.html#ਖ਼نදݱ ^,

    $͸৔߹ʹΑͬͯةݥ

12. ©2018 Wantedly, Inc. ͜ͷίʔυʹ͸໰୊͕͋Δʂ class UsersController < ApplicationController def activate

    user = User.find_by(activation_code: params[:code]) user.activate end end https://railsguides.jp/security.html#Ϣʔβʔ؅ཧ

13. ©2018 Wantedly, Inc. nil νΣοΫෆ଍ class UsersController < ApplicationController def

    activate user = User.find_by(activation_code: params[:code]) user.activate end end http://localhost:3000/users/activate?code=

14. ©2018 Wantedly, Inc. nil νΣοΫෆ଍ http://localhost:3000/users/activate?code= class UsersController < ApplicationController

    def activate user = User.find_by(activation_code: params[:code]) user.activate end end SELECT * FROM users WHERE (users.activation_code IS NULL) LIMIT 1 https://railsguides.jp/security.html#Ϣʔβʔ؅ཧ

15. ©2018 Wantedly, Inc. ͜ͷίʔυʹ͸໰୊͕͋Δʂ hoge.html.erb hoge.html.haml <%= user_name %> =

    user_name _.template(`\ <%= user_name %> `) hoge.js (_ = underscore.js)

16. ©2018 Wantedly, Inc. ͜ͷίʔυʹ͸໰୊͕͋Δʂ hoge.html.erb hoge.html.haml <%= user_name %> =

    user_name _.template(`\ <%= user_name %> `) hoge.js (_ = underscore.js) Τεέʔϓͳ͠ʢ<%-͕ྑ͍ʣ

17. ©2018 Wantedly, Inc. ͜ͷίʔυʹ͸໰୊͕͋Δʂ ja.yml hoge.html.haml hoge.js ja: foo_html: “͜Μʹͪ͸<br

    />%{user_name}“ = t(“foo_html", user_name: “<script>alert(‘XSS’)</script>”) I18n.t(“foo_html", {user_name: “<script>alert(‘XSS')</script>"})

18. ©2018 Wantedly, Inc. XSS(i18n-js) ja.yml hoge.html.haml hoge.js ͜Μʹͪ͸<br />&lt;script&gt;alert(‘XSS&#39;)&lt;/script&gt; ͜Μʹͪ͸<br

    /><script>alert('XSS')</script> ja: foo_html: “͜Μʹͪ͸<br />%{user_name}“

19. ©2018 Wantedly, Inc. XSS(i18n-js) https://railsguides.jp/i18n.html#҆શͳhtmlม׵

20. ©2018 Wantedly, Inc. XSS(i18n-js) https://github.com/fnando/i18n-js/issues/485

21. ©2018 Wantedly, Inc. XSS(i18n-js) https://github.com/fnando/i18n-js/issues/485

22. ©2018 Wantedly, Inc. •ࣗ෼͕΍Γ͔Ͷͳ͍෦෼͕ଟ͔ͬͨ •๨Ε͕ͪͳ͜ͱ͕͋ΔͷͰఆظతʹ
 ηΩϡϦςΟΨΠυΛಡΈ͍ͨ ·ͱΊ