Node.js のセキュリティの話

Transcript

1. 
 Node.jsͷݐલͱຊԻ @yosuke_furukawa

2. @yosuke_furukawa Node.jsϢʔβʔάϧʔϓ୅ද / DeNAॴଐ

3. ։࠵༧ఆΠϕϯτ: 6/23 : ౦ژNodeֶԂ13࣌ݶ໨ 7/3 : socket.io meetup 7/11 :

   ఱԼҰΫϥΠΞϯταΠυJSϑϨʔϜϫʔΫ෢ಆձ

4. ։࠵༧ఆΠϕϯτ: 6/23 : ౦ژNodeֶԂ13࣌ݶ໨ 7/3 : socket.io meetup 7/11 :

   ఱԼҰΫϥΠΞϯταΠυJSϑϨʔϜϫʔΫ෢ಆձ
   ʊਓਓਓਓਓਓਓʊ
   ʼɹશ෦౦ژʂʂɹʻ
   
   ʉ:?:?:?:?:?:?:ʉ

5. ࢓ࣄͰ΍ͬͯΔ͜ͱ 1. WebήʔϜ࡞ͬͨΓ 2. ϥΠϒϥϦ࡞ͬͨΓ 3. ։ൃϝϯόʔͷޚ༻ฉ͖ ΠϯϑϥपΓ΋ଟগޱΛग़͢ɺαʔόαΠυΤϯδχΞɺ Backbone +

   marionetteͰ։ൃ΋ͯͯ͠ΫϥΠΞϯταΠυ΋΍ͬͯΔ ͍ΘΏΔϑϧελοΫ(স)ΤϯδχΞ

6. ݐલ×ຊԻ

7. ݐલฤ

8. Productionʹ͢Δ࣌ʹ΍ͬͨ ΄͏͕ྑ͍͜ͱ(securityฤ)

9. Don’t run as root

10. Α͋͘ΔγνϡΤʔγϣϯ port൪߸Λ80/443Ͱ͍͔͋͛ͨΒɺͱ͍ͬͯ rootͰىಈ͢Δͷ͸ྑ͘ͳ͍ɻ

11. WebΞϓϦαʔόʔ͸ WebΞϓϦαʔόʔ ඞཁҎ্ͷݖݶΛ༩͑Δ΂͖͡Όͳ͍ɻ ສ͕Ұ fs.unlink Λ࣮ߦ͞ΕͪΌͬͨΒ? ͦΕҎ֎ʹ΋ຊདྷಡΊͳ͍ϑΝΠϧ͕ fs.readFileͰಡΊͪΌͬͨΒ??

12. Cross Site Request Forgery

13. Α͋͘ΔγνϡΤʔγϣϯ ࣗ෼ͷαʔόʔ͔Β֎෦ͷαʔόʔΛ౿·͞ Εͯɺ֎෦αʔόʔ͔ΒউखʹϦΫΤετ͕ ൃߦ͞ΕΔɻ

14. csrfରࡦ (tokenํࣜ) // express var express = require(‘express'); var csrf

    = require(‘csurf'); ! var app = express(); app.use(csrf()); ! ! // html ͷ form ΍ xhr Ͱ ϦΫΤετͷதʹ tokenΛೖΕͯૹΔ <input type=“hidden” name=“_csrf” value=“{{csrftoken}}”>

15. csrfରࡦ (xhr͔Ͳ͏͔Λ֬ೝ͢Δ) // express var express = require(‘express'); ! var

    app = express(); app.use(function(req, res){ if (req.xhr) { // => X-Requested-With ͕͍ͭͯΔͱreq.xhr͸true // xhr͸same origin policy͕ద༻͞ΕΔͨΊɺผυϝΠϯ͔Β // ϦΫΤετ͸ൃߦͰ͖ͳ͍ } // … }); !

16. XSSରࡦ

17. Α͋͘ΔγνϡΤʔγϣϯ socket.ioͱ͔Ͱ௚઀σʔλΛchatͰ΍ΓͱΓ chat಺ʹ௚઀html͕ॻ͚Δͱ೚ҙͷjavascript Λ࣮ߦ͞Εͯ͠·͏ɻ

18. tweetdeck ͞Μ……

19. αχλΠζ var validator = require(‘validator'); ! socket.on(“message”, function(data){ // <script>alert(“hoge”);</script>

    // &lt;script&gt;alert(&quot;hoge&quot;);&lt;/script&gt; validator.escape(data); });

20. secure session app.use(express.session({ secret: “dontusethisone", cookie: { // ສ͕ҰXSS͕ൃੜͯ͠΋javascript͔Β //

    cookieΛऔΕͳ͍Α͏ʹ͢Δ httpOnly: true, secure: true }, }));

21. disable x-powered-by

22. Α͋͘ΔγνϡΤʔγϣϯ ߈ܸऀͷཱ৔͔Β͢ΔͱେମόοΫΤϯυͷαʔ ό/ϦόʔεϓϩΩγ͕Կ͔Λ࠷ॳʹ֬ೝ͢Δɻ x-powered-by͸߈ܸऀʹͱͬͯ͸߈ܸͷώϯ τΛ༩͑ΔࣄʹͳΔɻ

23. x-powered-byΛফ͢ // express var express = require(‘express'); var app =

    express(); app.disable(‘x-powered-by’); ! // ͜͏͢Δ͜ͱͰ // ߈ܸऀʹόοΫΤϯυͷαʔόʔ͕Կ͔఻͑ͳ͍ɻ

24. https

25. جຊhttpsʹ͢Δ httpͩͱϦΫΤετϨεϙϯεͷ಺༰͕ฏจ ͰΠϯλʔωοπۭؒΛྲྀΕΔ ϦΫΤετղੳ͞ΕͯϢʔβʔͷॏཁͳ৘ใ ͕࿙ΕͨΒݏɻ

26. mozaic.fm #4 CCS ࣭໰ͯ͠Έͨ: Q. https͕ࠓޙओྲྀʹͳΔΜͰ͠ΐ͏͔? A. ओྲྀ͔Ͳ͏͔͸ͱ΋͔͘ɺൺ཰্͕͕Δͷ͸ؒҧ ͍ͳ͍ɻେखͷαʔϏε͸΄΅httpsʹͳ͍ͬͯͩ͘ Ζ͏

27. httpsͰexpress var express = require(‘express’); var https = require('https'); var

    fs = require('fs'); ! var options = { key: fs.readFileSync('test/fixtures/keys/agent2-key.pem'), cert: fs.readFileSync('test/fixtures/keys/agent2-cert.pem') }; ! express.createServer(options); ! // ·͊Ͱ΋ϦόʔεϓϩΩγͱ͔ͰhttpsΛhttpʹม׵͢Δ͜ͱͷํ͕ଟ͍͔΋

28. ϦόʔεϓϩΩγͰղܾ͢Δख΋͋Δ OHJOY OPEFKT IUUQ IUUQT

29. Denial of Service

30. Node.jsͷDoS γϯάϧεϨουͳͷͰ CPUෛՙ͕͔͔ΔΑ͏ͳॲཧ͸΍͸Γۤख

31. JSON.parse/JSON.stringify // JSON.parse/JSON.stringify͸ಉظతͳॲཧ // ௒ڊେͳJSON͕དྷΔͱͦͷparse/stringifyͷλΠϛϯάͰॲཧ͕ࢭ·Δɻ // ͳͷͰɺϦΫΤετͷίϯςϯταΠζΛݟͯͪΌΜͱ஄͘Α͏ʹͨ͠΄͏͕ྑ ͍ɻ ! var

    length = +req[‘content-length’]; if (length > 100000) { throw new Error(“Max content size is exceeded”); } ! // ͪͳΈʹexpress/body-parser͸ 100kb ·ͰͰσϑΥϧτ੍ݶ͞ΕͯΔɻ // ࠓ JSON.parse/stringifyʹasync͕෇͔͘Ͳ͏͔ݕ౼͞ΕͯΔ // https://github.com/joyent/node/issues/7543

32. Evil regex https://speakerdeck.com/ckarande/top-overlooked-security-threats-to-node-dot-js-web-applications ਖ਼نදݱϚον΋CPUίετߴ͍

33. Evil regex ͳΜͰ΋ਖ਼نදݱͰݕࠪ͠ͳ͍ ਖ਼نදݱΛ࢖͏ͱ͖͸ϓϩͷํʹϨϏϡʔͯ͠΋Β͏

34. ΋ͪΖΜɺ͜ͷଞʹ΋

35. • ͪΌΜͱϩάΛऔΔ • ΞΫηεղੳΛߦͬͯෆ৹ͳΞΫηε͕ͳ͍ ͔ௐ΂Δ • ೝূ/ೝՄͷ࢓૊ΈΛݕ౼͢Δ • ສ͕ҰDoSͰԠ౴ෆೳʹͳͬͨΒαʔϏεΛ ࠶ىಈͤ͞Δ

    • Ωϟον͞Εͳ͍ྫ֎͸ϩάΛు͍͔ͯΒࢮ ͵Α͏ʹ͢Δɻ

36. ࢀߟࢿྉ https://speakerdeck.com/ckarande/top-overlooked-security-threats-to- node-dot-js-web-applications https://gist.github.com/cerebrl/6487587 http://blog.kotowicz.net/2011/03/html5-websockets-security-new-tool- for.html

37. ݐલฤ ׬

38. ຊԻฤ

39. !!!!!CAUTION!!!!! ফ͠·ͨ͠

40. ຊԻฤ ׬

41. ͳΜͰ΋ฉ͍͍ͯͩ͘͞ :D