Node.js のセキュリティの話

Slide 1

Slide 1 text

  Node.jsͷݐલͱຊԻ @yosuke_furukawa

Slide 2

Slide 2 text

@yosuke_furukawa Node.jsϢʔβʔάϧʔϓ୅ද / DeNAॴଐ

Slide 3

Slide 3 text

։࠵༧ఆΠϕϯτ: 6/23 : ౦ژNodeֶԂ13࣌ݶ໨ 7/3 : socket.io meetup 7/11 : ఱԼҰΫϥΠΞϯταΠυJSϑϨʔϜϫʔΫ෢ಆձ

Slide 4

Slide 4 text

։࠵༧ఆΠϕϯτ: 6/23 : ౦ژNodeֶԂ13࣌ݶ໨ 7/3 : socket.io meetup 7/11 : ఱԼҰΫϥΠΞϯταΠυJSϑϨʔϜϫʔΫ෢ಆձ ʊਓਓਓਓਓਓਓʊ ʼɹશ෦౦ژʂʂɹʻ ʉ:?:?:?:?:?:?:ʉ

Slide 5

Slide 5 text

࢓ࣄͰ΍ͬͯΔ͜ͱ 1. WebήʔϜ࡞ͬͨΓ 2. ϥΠϒϥϦ࡞ͬͨΓ 3. ։ൃϝϯόʔͷޚ༻ฉ͖ ΠϯϑϥपΓ΋ଟগޱΛग़͢ɺαʔόαΠυΤϯδχΞɺ Backbone + marionetteͰ։ൃ΋ͯͯ͠ΫϥΠΞϯταΠυ΋΍ͬͯΔ ͍ΘΏΔϑϧελοΫ(স)ΤϯδχΞ

Slide 6

Slide 6 text

ݐલ×ຊԻ

Slide 7

Slide 7 text

ݐલฤ

Slide 8

Slide 8 text

Productionʹ͢Δ࣌ʹ΍ͬͨ ΄͏͕ྑ͍͜ͱ(securityฤ)

Slide 9

Slide 9 text

Don’t run as root

Slide 10

Slide 10 text

Α͋͘ΔγνϡΤʔγϣϯ port൪߸Λ80/443Ͱ͍͔͋͛ͨΒɺͱ͍ͬͯ rootͰىಈ͢Δͷ͸ྑ͘ͳ͍ɻ

Slide 11

Slide 11 text

WebΞϓϦαʔόʔ͸ WebΞϓϦαʔόʔ ඞཁҎ্ͷݖݶΛ༩͑Δ΂͖͡Όͳ͍ɻ ສ͕Ұ fs.unlink Λ࣮ߦ͞ΕͪΌͬͨΒ? ͦΕҎ֎ʹ΋ຊདྷಡΊͳ͍ϑΝΠϧ͕ fs.readFileͰಡΊͪΌͬͨΒ??

Slide 12

Slide 12 text

Cross Site Request Forgery

Slide 13

Slide 13 text

Α͋͘ΔγνϡΤʔγϣϯ ࣗ෼ͷαʔόʔ͔Β֎෦ͷαʔόʔΛ౿·͞ Εͯɺ֎෦αʔόʔ͔ΒউखʹϦΫΤετ͕ ൃߦ͞ΕΔɻ

Slide 14

Slide 14 text

csrfରࡦ (tokenํࣜ) // express var express = require(‘express'); var csrf = require(‘csurf'); ! var app = express(); app.use(csrf()); ! ! // html ͷ form ΍ xhr Ͱ ϦΫΤετͷதʹ tokenΛೖΕͯૹΔ

Slide 15

Slide 15 text

csrfରࡦ (xhr͔Ͳ͏͔Λ֬ೝ͢Δ) // express var express = require(‘express'); ! var app = express(); app.use(function(req, res){ if (req.xhr) { // => X-Requested-With ͕͍ͭͯΔͱreq.xhr͸true // xhr͸same origin policy͕ద༻͞ΕΔͨΊɺผυϝΠϯ͔Β // ϦΫΤετ͸ൃߦͰ͖ͳ͍ } // … }); !

Slide 16

Slide 16 text

XSSରࡦ

Slide 17

Slide 17 text

Α͋͘ΔγνϡΤʔγϣϯ socket.ioͱ͔Ͱ௚઀σʔλΛchatͰ΍ΓͱΓ chat಺ʹ௚઀html͕ॻ͚Δͱ೚ҙͷjavascript Λ࣮ߦ͞Εͯ͠·͏ɻ

Slide 18

Slide 18 text

tweetdeck ͞Μ……

Slide 19

Slide 19 text

αχλΠζ var validator = require(‘validator'); ! socket.on(“message”, function(data){ // alert(“hoge”); // <script>alert("hoge");</script> validator.escape(data); });

Slide 20

Slide 20 text

secure session app.use(express.session({ secret: “dontusethisone", cookie: { // ສ͕ҰXSS͕ൃੜͯ͠΋javascript͔Β // cookieΛऔΕͳ͍Α͏ʹ͢Δ httpOnly: true, secure: true }, }));

Slide 21

Slide 21 text

disable x-powered-by

Slide 22

Slide 22 text

Α͋͘ΔγνϡΤʔγϣϯ ߈ܸऀͷཱ৔͔Β͢ΔͱେମόοΫΤϯυͷαʔ ό/ϦόʔεϓϩΩγ͕Կ͔Λ࠷ॳʹ֬ೝ͢Δɻ x-powered-by͸߈ܸऀʹͱͬͯ͸߈ܸͷώϯ τΛ༩͑ΔࣄʹͳΔɻ

Slide 23

Slide 23 text

x-powered-byΛফ͢ // express var express = require(‘express'); var app = express(); app.disable(‘x-powered-by’); ! // ͜͏͢Δ͜ͱͰ // ߈ܸऀʹόοΫΤϯυͷαʔόʔ͕Կ͔఻͑ͳ͍ɻ

Slide 24

Slide 24 text

https

Slide 25

Slide 25 text

جຊhttpsʹ͢Δ httpͩͱϦΫΤετϨεϙϯεͷ಺༰͕ฏจ ͰΠϯλʔωοπۭؒΛྲྀΕΔ ϦΫΤετղੳ͞ΕͯϢʔβʔͷॏཁͳ৘ใ ͕࿙ΕͨΒݏɻ

Slide 26

Slide 26 text

mozaic.fm #4 CCS ࣭໰ͯ͠Έͨ: Q. https͕ࠓޙओྲྀʹͳΔΜͰ͠ΐ͏͔? A. ओྲྀ͔Ͳ͏͔͸ͱ΋͔͘ɺൺ཰্͕͕Δͷ͸ؒҧ ͍ͳ͍ɻେखͷαʔϏε͸΄΅httpsʹͳ͍ͬͯͩ͘ Ζ͏

Slide 27

Slide 27 text

httpsͰexpress var express = require(‘express’); var https = require('https'); var fs = require('fs'); ! var options = { key: fs.readFileSync('test/fixtures/keys/agent2-key.pem'), cert: fs.readFileSync('test/fixtures/keys/agent2-cert.pem') }; ! express.createServer(options); ! // ·͊Ͱ΋ϦόʔεϓϩΩγͱ͔ͰhttpsΛhttpʹม׵͢Δ͜ͱͷํ͕ଟ͍͔΋

Slide 28

Slide 28 text

ϦόʔεϓϩΩγͰղܾ͢Δख΋͋Δ OHJOY OPEFKT IUUQ IUUQT

Slide 29

Slide 29 text

Denial of Service

Slide 30

Slide 30 text

Node.jsͷDoS γϯάϧεϨουͳͷͰ CPUෛՙ͕͔͔ΔΑ͏ͳॲཧ͸΍͸Γۤख

Slide 31

Slide 31 text

JSON.parse/JSON.stringify // JSON.parse/JSON.stringify͸ಉظతͳॲཧ // ௒ڊେͳJSON͕དྷΔͱͦͷparse/stringifyͷλΠϛϯάͰॲཧ͕ࢭ·Δɻ // ͳͷͰɺϦΫΤετͷίϯςϯταΠζΛݟͯͪΌΜͱ஄͘Α͏ʹͨ͠΄͏͕ྑ ͍ɻ ! var length = +req[‘content-length’]; if (length > 100000) { throw new Error(“Max content size is exceeded”); } ! // ͪͳΈʹexpress/body-parser͸ 100kb ·ͰͰσϑΥϧτ੍ݶ͞ΕͯΔɻ // ࠓ JSON.parse/stringifyʹasync͕෇͔͘Ͳ͏͔ݕ౼͞ΕͯΔ // https://github.com/joyent/node/issues/7543

Slide 32

Slide 32 text

Evil regex https://speakerdeck.com/ckarande/top-overlooked-security-threats-to-node-dot-js-web-applications ਖ਼نදݱϚον΋CPUίετߴ͍

Slide 33

Slide 33 text

Evil regex ͳΜͰ΋ਖ਼نදݱͰݕࠪ͠ͳ͍ ਖ਼نදݱΛ࢖͏ͱ͖͸ϓϩͷํʹϨϏϡʔͯ͠΋Β͏

Slide 34

Slide 34 text

΋ͪΖΜɺ͜ͷଞʹ΋

Slide 35

Slide 35 text

• ͪΌΜͱϩάΛऔΔ • ΞΫηεղੳΛߦͬͯෆ৹ͳΞΫηε͕ͳ͍ ͔ௐ΂Δ • ೝূ/ೝՄͷ࢓૊ΈΛݕ౼͢Δ • ສ͕ҰDoSͰԠ౴ෆೳʹͳͬͨΒαʔϏεΛ ࠶ىಈͤ͞Δ • Ωϟον͞Εͳ͍ྫ֎͸ϩάΛు͍͔ͯΒࢮ ͵Α͏ʹ͢Δɻ

Slide 36

Slide 36 text

ࢀߟࢿྉ https://speakerdeck.com/ckarande/top-overlooked-security-threats-to- node-dot-js-web-applications https://gist.github.com/cerebrl/6487587 http://blog.kotowicz.net/2011/03/html5-websockets-security-new-tool- for.html