Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
Node.jsͷݐલͱຊԻ @yosuke_furukawa
Slide 2
Slide 2 text
@yosuke_furukawa Node.jsϢʔβʔάϧʔϓද / DeNAॴଐ
Slide 3
Slide 3 text
։࠵༧ఆΠϕϯτ: 6/23 : ౦ژNodeֶԂ13࣌ݶ 7/3 : socket.io meetup 7/11 : ఱԼҰΫϥΠΞϯταΠυJSϑϨʔϜϫʔΫಆձ
Slide 4
Slide 4 text
։࠵༧ఆΠϕϯτ: 6/23 : ౦ژNodeֶԂ13࣌ݶ 7/3 : socket.io meetup 7/11 : ఱԼҰΫϥΠΞϯταΠυJSϑϨʔϜϫʔΫಆձ ʊਓਓਓਓਓਓਓʊ ʼɹશ෦౦ژʂʂɹʻ ʉ:?:?:?:?:?:?:ʉ
Slide 5
Slide 5 text
ࣄͰͬͯΔ͜ͱ 1. WebήʔϜ࡞ͬͨΓ 2. ϥΠϒϥϦ࡞ͬͨΓ 3. ։ൃϝϯόʔͷޚ༻ฉ͖ ΠϯϑϥपΓଟগޱΛग़͢ɺαʔόαΠυΤϯδχΞɺ Backbone + marionetteͰ։ൃͯͯ͠ΫϥΠΞϯταΠυͬͯΔ ͍ΘΏΔϑϧελοΫ(স)ΤϯδχΞ
Slide 6
Slide 6 text
ݐલ×ຊԻ
Slide 7
Slide 7 text
ݐલฤ
Slide 8
Slide 8 text
Productionʹ͢Δ࣌ʹͬͨ ΄͏͕ྑ͍͜ͱ(securityฤ)
Slide 9
Slide 9 text
Don’t run as root
Slide 10
Slide 10 text
Α͋͘ΔγνϡΤʔγϣϯ port൪߸Λ80/443Ͱ͍͔͋͛ͨΒɺͱ͍ͬͯ rootͰىಈ͢Δͷྑ͘ͳ͍ɻ
Slide 11
Slide 11 text
WebΞϓϦαʔόʔ WebΞϓϦαʔόʔ ඞཁҎ্ͷݖݶΛ༩͑Δ͖͡Όͳ͍ɻ ສ͕Ұ fs.unlink Λ࣮ߦ͞ΕͪΌͬͨΒ? ͦΕҎ֎ʹຊདྷಡΊͳ͍ϑΝΠϧ͕ fs.readFileͰಡΊͪΌͬͨΒ??
Slide 12
Slide 12 text
Cross Site Request Forgery
Slide 13
Slide 13 text
Α͋͘ΔγνϡΤʔγϣϯ ࣗͷαʔόʔ͔Β֎෦ͷαʔόʔΛ౿·͞ Εͯɺ֎෦αʔόʔ͔ΒউखʹϦΫΤετ͕ ൃߦ͞ΕΔɻ
Slide 14
Slide 14 text
csrfରࡦ (tokenํࣜ) // express var express = require(‘express'); var csrf = require(‘csurf'); ! var app = express(); app.use(csrf()); ! ! // html ͷ form xhr Ͱ ϦΫΤετͷதʹ tokenΛೖΕͯૹΔ
Slide 15
Slide 15 text
csrfରࡦ (xhr͔Ͳ͏͔Λ֬ೝ͢Δ) // express var express = require(‘express'); ! var app = express(); app.use(function(req, res){ if (req.xhr) { // => X-Requested-With ͕͍ͭͯΔͱreq.xhrtrue // xhrsame origin policy͕ద༻͞ΕΔͨΊɺผυϝΠϯ͔Β // ϦΫΤετൃߦͰ͖ͳ͍ } // … }); !
Slide 16
Slide 16 text
XSSରࡦ
Slide 17
Slide 17 text
Α͋͘ΔγνϡΤʔγϣϯ socket.ioͱ͔ͰσʔλΛchatͰΓͱΓ chatʹhtml͕ॻ͚Δͱҙͷjavascript Λ࣮ߦ͞Εͯ͠·͏ɻ
Slide 18
Slide 18 text
tweetdeck ͞Μ……
Slide 19
Slide 19 text
αχλΠζ var validator = require(‘validator'); ! socket.on(“message”, function(data){ // alert(“hoge”); // <script>alert("hoge");</script> validator.escape(data); });
Slide 20
Slide 20 text
secure session app.use(express.session({ secret: “dontusethisone", cookie: { // ສ͕ҰXSS͕ൃੜͯ͠javascript͔Β // cookieΛऔΕͳ͍Α͏ʹ͢Δ httpOnly: true, secure: true }, }));
Slide 21
Slide 21 text
disable x-powered-by
Slide 22
Slide 22 text
Α͋͘ΔγνϡΤʔγϣϯ ߈ܸऀͷཱ͔Β͢ΔͱେମόοΫΤϯυͷαʔ ό/ϦόʔεϓϩΩγ͕Կ͔Λ࠷ॳʹ֬ೝ͢Δɻ x-powered-by߈ܸऀʹͱͬͯ߈ܸͷώϯ τΛ༩͑ΔࣄʹͳΔɻ
Slide 23
Slide 23 text
x-powered-byΛফ͢ // express var express = require(‘express'); var app = express(); app.disable(‘x-powered-by’); ! // ͜͏͢Δ͜ͱͰ // ߈ܸऀʹόοΫΤϯυͷαʔόʔ͕Կ͔͑ͳ͍ɻ
Slide 24
Slide 24 text
https
Slide 25
Slide 25 text
جຊhttpsʹ͢Δ httpͩͱϦΫΤετϨεϙϯεͷ༰͕ฏจ ͰΠϯλʔωοπۭؒΛྲྀΕΔ ϦΫΤετղੳ͞ΕͯϢʔβʔͷॏཁͳใ ͕࿙ΕͨΒݏɻ
Slide 26
Slide 26 text
mozaic.fm #4 CCS ࣭ͯ͠Έͨ: Q. https͕ࠓޙओྲྀʹͳΔΜͰ͠ΐ͏͔? A. ओྲྀ͔Ͳ͏͔ͱ͔͘ɺൺ্͕͕Δͷؒҧ ͍ͳ͍ɻେखͷαʔϏε΄΅httpsʹͳ͍ͬͯͩ͘ Ζ͏
Slide 27
Slide 27 text
httpsͰexpress var express = require(‘express’); var https = require('https'); var fs = require('fs'); ! var options = { key: fs.readFileSync('test/fixtures/keys/agent2-key.pem'), cert: fs.readFileSync('test/fixtures/keys/agent2-cert.pem') }; ! express.createServer(options); ! // ·͊ͰϦόʔεϓϩΩγͱ͔ͰhttpsΛhttpʹม͢Δ͜ͱͷํ͕ଟ͍͔
Slide 28
Slide 28 text
ϦόʔεϓϩΩγͰղܾ͢Δख͋Δ OHJOY OPEFKT IUUQ IUUQT
Slide 29
Slide 29 text
Denial of Service
Slide 30
Slide 30 text
Node.jsͷDoS γϯάϧεϨουͳͷͰ CPUෛՙ͕͔͔ΔΑ͏ͳॲཧΓۤख
Slide 31
Slide 31 text
JSON.parse/JSON.stringify // JSON.parse/JSON.stringifyಉظతͳॲཧ // ڊେͳJSON͕དྷΔͱͦͷparse/stringifyͷλΠϛϯάͰॲཧ͕ࢭ·Δɻ // ͳͷͰɺϦΫΤετͷίϯςϯταΠζΛݟͯͪΌΜͱ͘Α͏ʹͨ͠΄͏͕ྑ ͍ɻ ! var length = +req[‘content-length’]; if (length > 100000) { throw new Error(“Max content size is exceeded”); } ! // ͪͳΈʹexpress/body-parser 100kb ·ͰͰσϑΥϧτ੍ݶ͞ΕͯΔɻ // ࠓ JSON.parse/stringifyʹasync͕͔͘Ͳ͏͔ݕ౼͞ΕͯΔ // https://github.com/joyent/node/issues/7543
Slide 32
Slide 32 text
Evil regex https://speakerdeck.com/ckarande/top-overlooked-security-threats-to-node-dot-js-web-applications ਖ਼نදݱϚονCPUίετߴ͍
Slide 33
Slide 33 text
Evil regex ͳΜͰਖ਼نදݱͰݕࠪ͠ͳ͍ ਖ਼نදݱΛ͏ͱ͖ϓϩͷํʹϨϏϡʔͯ͠Β͏
Slide 34
Slide 34 text
ͪΖΜɺ͜ͷଞʹ
Slide 35
Slide 35 text
• ͪΌΜͱϩάΛऔΔ • ΞΫηεղੳΛߦͬͯෆ৹ͳΞΫηε͕ͳ͍ ͔ௐΔ • ೝূ/ೝՄͷΈΛݕ౼͢Δ • ສ͕ҰDoSͰԠෆೳʹͳͬͨΒαʔϏεΛ ࠶ىಈͤ͞Δ • Ωϟον͞Εͳ͍ྫ֎ϩάΛు͍͔ͯΒࢮ ͵Α͏ʹ͢Δɻ
Slide 36
Slide 36 text
ࢀߟࢿྉ https://speakerdeck.com/ckarande/top-overlooked-security-threats-to- node-dot-js-web-applications https://gist.github.com/cerebrl/6487587 http://blog.kotowicz.net/2011/03/html5-websockets-security-new-tool- for.html
Slide 37
Slide 37 text
ݐલฤ
Slide 38
Slide 38 text
ຊԻฤ
Slide 39
Slide 39 text
!!!!!CAUTION!!!!! ফ͠·ͨ͠
Slide 40
Slide 40 text
ຊԻฤ
Slide 41
Slide 41 text
ͳΜͰฉ͍͍ͯͩ͘͞ :D