不正クエリを検知するsqdを作った

Ec3fcf78fa2ad21dcc48478df80e0dc4?s=47 Komei Nomura
February 12, 2019
Technology
1
250

 不正クエリを検知するsqdを作った

Fukuoka.go#13+Okayama.go
https://fukuokago.connpass.com/event/112073/

Ec3fcf78fa2ad21dcc48478df80e0dc4?s=128

Komei Nomura

February 12, 2019
Tweet

More Decks by Komei Nomura

See All by Komei Nomura
Ec3fcf78fa2ad21dcc48478df80e0dc4?s=48 komei22
0
3.2k
Ec3fcf78fa2ad21dcc48478df80e0dc4?s=48 komei22
1
210
Ec3fcf78fa2ad21dcc48478df80e0dc4?s=48 komei22
3
290
Ec3fcf78fa2ad21dcc48478df80e0dc4?s=48 komei22
2
290
Ec3fcf78fa2ad21dcc48478df80e0dc4?s=48 komei22
2
910
Ec3fcf78fa2ad21dcc48478df80e0dc4?s=48 komei22
0
590
Ec3fcf78fa2ad21dcc48478df80e0dc4?s=48 komei22
0
550
Ec3fcf78fa2ad21dcc48478df80e0dc4?s=48 komei22
0
1k
Ec3fcf78fa2ad21dcc48478df80e0dc4?s=48 komei22
6
1.7k

Other Decks in Technology

See All in Technology
Cd891a89dfec6ca7bd278b5f5bd87c90?s=48 tzkoba
0
100
91e7aee9769836f448a9f1ce91255749?s=48 mathatelle
0
1.5k
E9e3472b8801ed21298ccefeecfaf429?s=48 takamichie
0
180
1817c3d5995710d04506a17cc9b5c9ba?s=48 runrunsan
1
210
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
180
13d936e697fe0f4fa96f926d0a712f6c?s=48 sansanbuildersbox
0
220
0d29d155ce5c5a93ed46363626da3ea7?s=48 ocise
1
1.9k
8aba6de431668fc8d09977c0e33c63c1?s=48 jaguar_imo
4
1.1k
42ba906dc35ef460ffcb1b7c3307ef45?s=48 spring_raining
0
1.2k
C79a3191aa67cae35282fb129587696b?s=48 hendrikebbers
0
100
Cc8a208e174943d1da814783841abd50?s=48 shinodogg
0
180
14493d3489b1441918bfddfe298415d9?s=48 yanaga
0
330

Featured

See All Featured
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
1
360
F68cb25ae3e5c2106997454b13b7737d?s=48 brad_frost
154
6.3k
6804f1775cb4babfcc3851298566fbce?s=48 tanoku
257
24k
Ecdea9b9714877b86cee08458f085481?s=48 trallard
10
450
44b54d2ffcb7857004071cc6795dde11?s=48 cassininazir
345
20k
C4de88ea47538e4594750e3861a341c8?s=48 brettharned
92
2.8k
E195ae45320d9202eaa01c9f1d31a416?s=48 marktimemedia
5
200
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
266
16k
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
7
470
D09fad3e36ae6841f54820be0e907f7a?s=48 rocio
155
11k
245cee81a9c424266e5e401d844ea881?s=48 lara
13
2.4k
7edec06b5435e0dac07a353b2cc26253?s=48 geeforr
331
29k

Transcript

  1. ໺ଜ޸໋ / Pepabo R&D Institute, GMO Pepabo, Inc. 2019.02.12 Fukuoka.go#13

    ෆਖ਼ΫΤϦΛݕ஌͢ΔsqdΛ࡞ͬͨ

  2. 2 ΤϯδχΞ ໺ଜ޸໋!,PNFJ (.0ϖύϘגࣜձࣾɹϖύϘݚڀॴ

  3. ෆਖ਼ΫΤϦΛݕ஌͢Δsqd

  4. ෆਖ਼ΫΤϦͬͯԿʁԿ͕໰୊ͳͷ͔ʁ

  5. • ෆਖ਼ΫΤϦͱ͸ʁ • WebΞϓϦέʔγϣϯͷ੬ऑੑΛར༻ͯ͠σʔλϕʔεʹൃߦ͞ΕΔΫΤϦ • SQLΠϯδΣΫγϣϯʹΑͬͯൃߦ͞ΕΔΫΤϦͳͲ • ෆਖ਼ΫΤϦ͸ԿΛҾ͖ى͜͢ʁ • σʔλϕʔε্ͷػີ৘ใͷ࿙Ӯ

    • σʔλϕʔεͷվ᜵ɾফڈ 5 ෆਖ਼ΫΤϦʹ͍ͭͯ ෆਖ਼ΫΤϦ͕ൃߦ͞Εͨ͜ͱΛݕ஌͍ͨ͠

  6. • sqd͸ɼϗϫΠτϦετϕʔεͰɼΫΤϦϩά͔Βෆਖ਼ΫΤϦΛݕ஌ 6 sqd TREIUUQTHJUIVCDPN,PNFJTRE 8FCΞϓϦέʔγϣϯͷ ΫΤϦϩά w ΫΤϦ" w

    ΫΤϦ# w ΫΤϦ$ TRE ϗϫΠτϦετ ΫΤϦΛϗϫΠτϦετͱর߹ ϗϫΠτϦετʹͳ͔ͬͨ ΫΤϦΛग़ྗ w ΫΤϦ" w ΫΤϦ# ΫΤϦ$

  7. 7 sqdʹΑΔෆਖ਼ΫΤϦݕ஌ $ cat whitelist SELECT * FROM users WHERE

    id = ? $ cat query.log | jq -r .query SELECT * FROM users WHERE id = 1 SELECT * FROM users WHERE id = 2 SELECT * FROM users DROP TABLE users ϗϫΠτϦετ ݕ஌ର৅ͷΫΤϦ܈ Ϧςϥϧ஋͸ϓϨʔεϗϧμʔʹ͢Δ $ cat query.log | jq -r .query | sqd -W whitelist SELECT * FROM users DROP TABLE users ݕ஌͞ΕͨΫΤϦ ϗϫΠτϦετϑΝΠϧΛࢦఆ ݕ஌ର৅ͷΫΤϦ܈Λೖྗ

  8. sqd͸ϗϫΠτϦετΛͪΌΜͱఆٛͰ͖Ε ͹ɼෆਖ਼ΫΤϦΛݕ஌Ͱ͖Δ

  9. Ͱ΋ɼϗϫΠτϦετ࡞ΔͷେมͳͷͰ͸ʁ

  10. • ߴ͍ਫ਼౓Ͱෆਖ਼ΫΤϦΛݕ஌͢Δʹ͸ɼWebΞϓϦέʔγϣϯ͕ൃߦ͠ಘΔΫ ΤϦΛશͯϗϫΠτϦετʹఆٛ͠ͳ͚Ε͹ͳΒͳ͍ • WebΞϓϦέʔγϣϯ͕ൃߦ͠ಘΔΫΤϦ͸๲େ • WebΞϓϦέʔγϣϯ͕վम͞Εͨ৔߹ɼΫΤϦ͕มԽ͢ΔՄೳੑ͋Γ • ORM࢖ͬͯͨΒɼࣗ෼ͰSQLΛॻ͘͜ͱ͕গͳ͍ 10

    ϗϫΠτϦετ࡞੒ͷ೉͠͞

  11. 11 IUUQTTQFBLFSEFDLDPNLPNFJXFCBQVSJLFTJZPOUFTVUPXPZPOHJUBTRMLVFSJGBMTFIPXBJUPSJTVUP[JEPOH [VPDIFOHTIPVGBFCDGCDFBFBEDF

  12. • ෆਖ਼ΫΤϦʹΑͬͯσʔλϕʔε্ͷػີ৘ใͷ࿙Ӯɼվ᜵ɼফڈ͕ൃੜ • ϗϫΠτϦετϕʔεͰෆਖ਼ΫΤϦͷݕ஌Λߦ͏sqdΛ঺հ • sqdͰ͸ɼϗϫΠτϦετ࡞੒͕ॏཁ͚ͩͲ೉͍͠ • ϗϫΠτϦετ࡞੒ʹؔͯ͠͸ɼ࿦จ΍ݚڀձͰͷൃදࢿྉΛ͝ཡ͍ͩ͘͞ 12 ·ͱΊ

    ࿦จɿIUUQTSBOEQFQBCPDPNQBQFSTJPUTLPNFJQEG
  13. None