©2018 Wantedly, Inc. RailsηΩϡϦςΟΨΠυΛ վΊͯಡΜͰΈͨ 29.July.2018 - Hazumi Ichijo (@rerost) ৽ଔΤϯδχΞ͕վΊͯಡΜͰΈͯ 

©2018 Wantedly, Inc. ࣗݾ঺հ Ұᑍ୺੅ (Twitter: @hazumirr, Github: @rerost) Web Application Engineer Rails, React, … ۴࿏ߴઐ -> ஜ೾େֶ -> Wantedly 

©2018 Wantedly, Inc. Page Subtitle https://railsguides.jp/security.html 

©2018 Wantedly, Inc. 1. ීஈ͔ΒؾΛ͚͍ͭͨ͜ͱ • ϦμΠϨΫτ • ਖ਼نදݱ • nilνΣοΫෆ଍ • XSS ͳͲ 2. ࣄલʹ๷͍Ͱ͓͖͍ͨ෦෼ • ηογϣϯݻఆ߈ܸ • CSRF ͳͲ RailsηΩϡϦςΟΨΠυ 

©2018 Wantedly, Inc. 1. ීஈ͔ΒؾΛ͚͍ͭͨ͜ͱ • ϦμΠϨΫτ • ਖ਼نදݱ • nilνΣοΫෆ଍ • XSS ͳͲ 2. ࣄલʹ๷͍Ͱ͓͖͍ͨ෦෼ • ηογϣϯݻఆ߈ܸ • CSRF ͳͲ RailsηΩϡϦςΟΨΠυ ࠓ೔͸ͬͪ͜ 

©2018 Wantedly, Inc. ͜ͷίʔυʹ͸໰୊͕͋Δʂ def legacy redirect_to(params.update(action:'main')) end https://railsguides.jp/security.html#ϦμΠϨΫτ 

©2018 Wantedly, Inc. ϦμΠϨΫτ def legacy redirect_to(params.update(action:'main')) end http://www.example.com/site/legacy? param1=xy¶m2=23&host=www.attacker.com https://railsguides.jp/security.html#ϦμΠϨΫτ 

©2018 Wantedly, Inc. ϦμΠϨΫτ def legacy redirect_to(params.update(action:'main')) end https://railsguides.jp/security.html#ϦμΠϨΫτ ࣗ༝ʹϦμΠϨΫτͰ͖ͯ͠·͏ 

©2018 Wantedly, Inc. ͜ͷίʔυʹ͸໰୊͕͋Δʂ def url?(url) !url.match(/^https?:\/\/[^\n]+$/i).nil? end https://railsguides.jp/security.html#ਖ਼نදݱ 

©2018 Wantedly, Inc. ਖ਼نදݱ def url?(url) !url.match(/^https?:\/\/[^\n]+$/i).nil? end irb(main):004:0> url?("https://example.com") => true irb(main):005:0> url?(" irb(main):006:1" hogehoge irb(main):007:1" https://example.com irb(main):008:1" ") => true https://railsguides.jp/security.html#ਖ਼نදݱ 

©2018 Wantedly, Inc. ਖ਼نදݱ def url?(url) !url.match(/\Ahttps?:\/\/[^\n]+\z/i).nil? end https://railsguides.jp/security.html#ਖ਼نදݱ ^, $͸৔߹ʹΑͬͯةݥ 

©2018 Wantedly, Inc. ͜ͷίʔυʹ͸໰୊͕͋Δʂ class UsersController < ApplicationController def activate user = User.find_by(activation_code: params[:code]) user.activate end end https://railsguides.jp/security.html#Ϣʔβʔ؅ཧ 

©2018 Wantedly, Inc. nil νΣοΫෆ଍ class UsersController < ApplicationController def activate user = User.find_by(activation_code: params[:code]) user.activate end end http://localhost:3000/users/activate?code= 

©2018 Wantedly, Inc. nil νΣοΫෆ଍ http://localhost:3000/users/activate?code= class UsersController < ApplicationController def activate user = User.find_by(activation_code: params[:code]) user.activate end end SELECT * FROM users WHERE (users.activation_code IS NULL) LIMIT 1 https://railsguides.jp/security.html#Ϣʔβʔ؅ཧ 

©2018 Wantedly, Inc. ͜ͷίʔυʹ͸໰୊͕͋Δʂ hoge.html.erb hoge.html.haml <%= user_name %> = user_name _.template(`\ <%= user_name %> `) hoge.js (_ = underscore.js) 

©2018 Wantedly, Inc. ͜ͷίʔυʹ͸໰୊͕͋Δʂ hoge.html.erb hoge.html.haml <%= user_name %> = user_name _.template(`\ <%= user_name %> `) hoge.js (_ = underscore.js) Τεέʔϓͳ͠ʢ<%-͕ྑ͍ʣ 

©2018 Wantedly, Inc. ͜ͷίʔυʹ͸໰୊͕͋Δʂ ja.yml hoge.html.haml hoge.js ja: foo_html: “͜Μʹͪ͸
%{user_name}“ = t(“foo_html", user_name: “alert(‘XSS’)”) I18n.t(“foo_html", {user_name: “alert(‘XSS')"}) 

©2018 Wantedly, Inc. XSS(i18n-js) ja.yml hoge.html.haml hoge.js ͜Μʹͪ͸
<script>alert(‘XSS')</script> ͜Μʹͪ͸
alert('XSS') ja: foo_html: “͜Μʹͪ͸
%{user_name}“ 

©2018 Wantedly, Inc. XSS(i18n-js) https://railsguides.jp/i18n.html#҆શͳhtmlม׵ 

©2018 Wantedly, Inc. XSS(i18n-js) https://github.com/fnando/i18n-js/issues/485 

©2018 Wantedly, Inc. XSS(i18n-js) https://github.com/fnando/i18n-js/issues/485 

©2018 Wantedly, Inc. •ࣗ෼͕΍Γ͔Ͷͳ͍෦෼͕ଟ͔ͬͨ •๨Ε͕ͪͳ͜ͱ͕͋ΔͷͰఆظతʹ
 ηΩϡϦςΟΨΠυΛಡΈ͍ͨ ·ͱΊ