reading rails security guide

reading rails security guide

https://railsguides.jp/security.html を読んでみた話です。
セキュリティガイドの中からピックアップして紹介します。
https://tokyurubykaigi.github.io/tokyu12/ で発表しました。

9ec2ceee3f782e64fd67fa7d82b6c1b4?s=128

Hazumi Ichijo

July 29, 2018
Tweet

Transcript

  1. ©2018 Wantedly, Inc. RailsηΩϡϦςΟΨΠυΛ վΊͯಡΜͰΈͨ 29.July.2018 - Hazumi Ichijo (@rerost)

    ৽ଔΤϯδχΞ͕վΊͯಡΜͰΈͯ
  2. ©2018 Wantedly, Inc. ࣗݾ঺հ Ұᑍ୺੅ (Twitter: @hazumirr, Github: @rerost) Web

    Application Engineer Rails, React, … ۴࿏ߴઐ -> ஜ೾େֶ -> Wantedly
  3. ©2018 Wantedly, Inc. Page Subtitle https://railsguides.jp/security.html

  4. ©2018 Wantedly, Inc. 1. ීஈ͔ΒؾΛ͚͍ͭͨ͜ͱ • ϦμΠϨΫτ • ਖ਼نදݱ •

    nilνΣοΫෆ଍ • XSS ͳͲ 2. ࣄલʹ๷͍Ͱ͓͖͍ͨ෦෼ • ηογϣϯݻఆ߈ܸ • CSRF ͳͲ RailsηΩϡϦςΟΨΠυ
  5. ©2018 Wantedly, Inc. 1. ීஈ͔ΒؾΛ͚͍ͭͨ͜ͱ • ϦμΠϨΫτ • ਖ਼نදݱ •

    nilνΣοΫෆ଍ • XSS ͳͲ 2. ࣄલʹ๷͍Ͱ͓͖͍ͨ෦෼ • ηογϣϯݻఆ߈ܸ • CSRF ͳͲ RailsηΩϡϦςΟΨΠυ ࠓ೔͸ͬͪ͜
  6. ©2018 Wantedly, Inc. ͜ͷίʔυʹ͸໰୊͕͋Δʂ def legacy redirect_to(params.update(action:'main')) end https://railsguides.jp/security.html#ϦμΠϨΫτ

  7. ©2018 Wantedly, Inc. ϦμΠϨΫτ def legacy redirect_to(params.update(action:'main')) end http://www.example.com/site/legacy? param1=xy&param2=23&host=www.attacker.com

    https://railsguides.jp/security.html#ϦμΠϨΫτ
  8. ©2018 Wantedly, Inc. ϦμΠϨΫτ def legacy redirect_to(params.update(action:'main')) end https://railsguides.jp/security.html#ϦμΠϨΫτ ࣗ༝ʹϦμΠϨΫτͰ͖ͯ͠·͏

  9. ©2018 Wantedly, Inc. ͜ͷίʔυʹ͸໰୊͕͋Δʂ def url?(url) !url.match(/^https?:\/\/[^\n]+$/i).nil? end https://railsguides.jp/security.html#ਖ਼نදݱ

  10. ©2018 Wantedly, Inc. ਖ਼نදݱ def url?(url) !url.match(/^https?:\/\/[^\n]+$/i).nil? end irb(main):004:0> url?("https://example.com")

    => true irb(main):005:0> url?(" irb(main):006:1" hogehoge irb(main):007:1" https://example.com irb(main):008:1" ") => true https://railsguides.jp/security.html#ਖ਼نදݱ
  11. ©2018 Wantedly, Inc. ਖ਼نදݱ def url?(url) !url.match(/\Ahttps?:\/\/[^\n]+\z/i).nil? end https://railsguides.jp/security.html#ਖ਼نදݱ ^,

    $͸৔߹ʹΑͬͯةݥ
  12. ©2018 Wantedly, Inc. ͜ͷίʔυʹ͸໰୊͕͋Δʂ class UsersController < ApplicationController def activate

    user = User.find_by(activation_code: params[:code]) user.activate end end https://railsguides.jp/security.html#Ϣʔβʔ؅ཧ
  13. ©2018 Wantedly, Inc. nil νΣοΫෆ଍ class UsersController < ApplicationController def

    activate user = User.find_by(activation_code: params[:code]) user.activate end end http://localhost:3000/users/activate?code=
  14. ©2018 Wantedly, Inc. nil νΣοΫෆ଍ http://localhost:3000/users/activate?code= class UsersController < ApplicationController

    def activate user = User.find_by(activation_code: params[:code]) user.activate end end SELECT * FROM users WHERE (users.activation_code IS NULL) LIMIT 1 https://railsguides.jp/security.html#Ϣʔβʔ؅ཧ
  15. ©2018 Wantedly, Inc. ͜ͷίʔυʹ͸໰୊͕͋Δʂ hoge.html.erb hoge.html.haml <%= user_name %> =

    user_name _.template(`\ <%= user_name %> `) hoge.js (_ = underscore.js)
  16. ©2018 Wantedly, Inc. ͜ͷίʔυʹ͸໰୊͕͋Δʂ hoge.html.erb hoge.html.haml <%= user_name %> =

    user_name _.template(`\ <%= user_name %> `) hoge.js (_ = underscore.js) Τεέʔϓͳ͠ʢ<%-͕ྑ͍ʣ
  17. ©2018 Wantedly, Inc. ͜ͷίʔυʹ͸໰୊͕͋Δʂ ja.yml hoge.html.haml hoge.js ja: foo_html: “͜Μʹͪ͸<br

    />%{user_name}“ = t(“foo_html", user_name: “<script>alert(‘XSS’)</script>”) I18n.t(“foo_html", {user_name: “<script>alert(‘XSS')</script>"})
  18. ©2018 Wantedly, Inc. XSS(i18n-js) ja.yml hoge.html.haml hoge.js ͜Μʹͪ͸<br />&lt;script&gt;alert(‘XSS&#39;)&lt;/script&gt; ͜Μʹͪ͸<br

    /><script>alert('XSS')</script> ja: foo_html: “͜Μʹͪ͸<br />%{user_name}“
  19. ©2018 Wantedly, Inc. XSS(i18n-js) https://railsguides.jp/i18n.html#҆શͳhtmlม׵

  20. ©2018 Wantedly, Inc. XSS(i18n-js) https://github.com/fnando/i18n-js/issues/485

  21. ©2018 Wantedly, Inc. XSS(i18n-js) https://github.com/fnando/i18n-js/issues/485

  22. ©2018 Wantedly, Inc. •ࣗ෼͕΍Γ͔Ͷͳ͍෦෼͕ଟ͔ͬͨ •๨Ε͕ͪͳ͜ͱ͕͋ΔͷͰఆظతʹ
 ηΩϡϦςΟΨΠυΛಡΈ͍ͨ ·ͱΊ