Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Node.js のセキュリティの話
Search
Yosuke Furukawa
PRO
June 14, 2014
Programming
18
10k
Node.js のセキュリティの話
Production (セキュリティ編)ということで疎かになりがちなセキュリティの話
Yosuke Furukawa
PRO
June 14, 2014
Tweet
Share
More Decks by Yosuke Furukawa
See All by Yosuke Furukawa
デザインシステムが必須の時代に
yosuke_furukawa
PRO
2
150
Node.js, Deno, Bun 最新動向とその所感について
yosuke_furukawa
PRO
10
4.3k
Welcome JSConf.jp 2024
yosuke_furukawa
PRO
1
4.3k
tc39 x jsconf.jp Panel Discussion 2024
yosuke_furukawa
PRO
0
270
Removing Corepack
yosuke_furukawa
PRO
9
1.7k
JavaScript Runtime とはなにか
yosuke_furukawa
PRO
15
2.9k
Strip Types と Storage
yosuke_furukawa
PRO
4
430
Module Harmony について
yosuke_furukawa
PRO
3
1.8k
LTのやり方
yosuke_furukawa
PRO
16
2.7k
Other Decks in Programming
See All in Programming
Pythonスレッドとは結局何なのか? CPython実装から見るNoGIL時代の変化
curekoshimizu
4
1.1k
いま中途半端なSwift 6対応をするより、Default ActorやApproachable Concurrencyを有効にしてからでいいんじゃない?
yimajo
2
230
TokyoR#119 bignners session2 Visualization
kotatyamtema
0
130
CSC509 Lecture 01
javiergs
PRO
1
430
Local Peer-to-Peer APIはどのように使われていくのか?
hal_spidernight
2
430
NetworkXとGNNで学ぶグラフデータ分析入門〜複雑な関係性を解き明かすPythonの力〜
mhrtech
3
920
フロントエンド開発に役立つクライアントプログラム共通のノウハウ / Universal client-side programming best practices for frontend development
nrslib
7
3.8k
Current States of Java Web Frameworks at JCConf 2025
kishida
0
540
エンジニアとして高みを目指す、 利益を生み出す設計の考え方 / design-for-profit
minodriven
23
11k
iOSエンジニア向けの英語学習アプリを作る!
yukawashouhei
0
170
Introducing ReActionView: A new ActionView-Compatible ERB Engine @ Kaigi on Rails 2025, Tokyo, Japan
marcoroth
3
760
Pull-Requestの内容を1クリックで動作確認可能にするワークフロー
natmark
1
330
Featured
See All Featured
Visualization
eitanlees
148
16k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Building Flexible Design Systems
yeseniaperezcruz
329
39k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
1.2k
The Art of Programming - Codeland 2020
erikaheidi
56
14k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
667
120k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
51k
Making the Leap to Tech Lead
cromwellryan
135
9.5k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
9
840
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
53
3k
Writing Fast Ruby
sferik
629
62k
StorybookのUI Testing Handbookを読んだ
zakiyama
31
6.2k
Transcript
Node.jsͷݐલͱຊԻ @yosuke_furukawa
@yosuke_furukawa Node.jsϢʔβʔάϧʔϓද / DeNAॴଐ
։࠵༧ఆΠϕϯτ: 6/23 : ౦ژNodeֶԂ13࣌ݶ 7/3 : socket.io meetup 7/11 :
ఱԼҰΫϥΠΞϯταΠυJSϑϨʔϜϫʔΫಆձ
։࠵༧ఆΠϕϯτ: 6/23 : ౦ژNodeֶԂ13࣌ݶ 7/3 : socket.io meetup 7/11 :
ఱԼҰΫϥΠΞϯταΠυJSϑϨʔϜϫʔΫಆձ ʊਓਓਓਓਓਓਓʊ ʼɹશ෦౦ژʂʂɹʻ ʉ:?:?:?:?:?:?:ʉ
ࣄͰͬͯΔ͜ͱ 1. WebήʔϜ࡞ͬͨΓ 2. ϥΠϒϥϦ࡞ͬͨΓ 3. ։ൃϝϯόʔͷޚ༻ฉ͖ ΠϯϑϥपΓଟগޱΛग़͢ɺαʔόαΠυΤϯδχΞɺ Backbone +
marionetteͰ։ൃͯͯ͠ΫϥΠΞϯταΠυͬͯΔ ͍ΘΏΔϑϧελοΫ(স)ΤϯδχΞ
ݐલ×ຊԻ
ݐલฤ
Productionʹ͢Δ࣌ʹͬͨ ΄͏͕ྑ͍͜ͱ(securityฤ)
Don’t run as root
Α͋͘ΔγνϡΤʔγϣϯ port൪߸Λ80/443Ͱ͍͔͋͛ͨΒɺͱ͍ͬͯ rootͰىಈ͢Δͷྑ͘ͳ͍ɻ
WebΞϓϦαʔόʔ WebΞϓϦαʔόʔ ඞཁҎ্ͷݖݶΛ༩͑Δ͖͡Όͳ͍ɻ ສ͕Ұ fs.unlink Λ࣮ߦ͞ΕͪΌͬͨΒ? ͦΕҎ֎ʹຊདྷಡΊͳ͍ϑΝΠϧ͕ fs.readFileͰಡΊͪΌͬͨΒ??
Cross Site Request Forgery
Α͋͘ΔγνϡΤʔγϣϯ ࣗͷαʔόʔ͔Β֎෦ͷαʔόʔΛ౿·͞ Εͯɺ֎෦αʔόʔ͔ΒউखʹϦΫΤετ͕ ൃߦ͞ΕΔɻ
csrfରࡦ (tokenํࣜ) // express var express = require(‘express'); var csrf
= require(‘csurf'); ! var app = express(); app.use(csrf()); ! ! // html ͷ form xhr Ͱ ϦΫΤετͷதʹ tokenΛೖΕͯૹΔ <input type=“hidden” name=“_csrf” value=“{{csrftoken}}”>
csrfରࡦ (xhr͔Ͳ͏͔Λ֬ೝ͢Δ) // express var express = require(‘express'); ! var
app = express(); app.use(function(req, res){ if (req.xhr) { // => X-Requested-With ͕͍ͭͯΔͱreq.xhrtrue // xhrsame origin policy͕ద༻͞ΕΔͨΊɺผυϝΠϯ͔Β // ϦΫΤετൃߦͰ͖ͳ͍ } // … }); !
XSSରࡦ
Α͋͘ΔγνϡΤʔγϣϯ socket.ioͱ͔ͰσʔλΛchatͰΓͱΓ chatʹhtml͕ॻ͚Δͱҙͷjavascript Λ࣮ߦ͞Εͯ͠·͏ɻ
tweetdeck ͞Μ……
αχλΠζ var validator = require(‘validator'); ! socket.on(“message”, function(data){ // <script>alert(“hoge”);</script>
// <script>alert("hoge");</script> validator.escape(data); });
secure session app.use(express.session({ secret: “dontusethisone", cookie: { // ສ͕ҰXSS͕ൃੜͯ͠javascript͔Β //
cookieΛऔΕͳ͍Α͏ʹ͢Δ httpOnly: true, secure: true }, }));
disable x-powered-by
Α͋͘ΔγνϡΤʔγϣϯ ߈ܸऀͷཱ͔Β͢ΔͱେମόοΫΤϯυͷαʔ ό/ϦόʔεϓϩΩγ͕Կ͔Λ࠷ॳʹ֬ೝ͢Δɻ x-powered-by߈ܸऀʹͱͬͯ߈ܸͷώϯ τΛ༩͑ΔࣄʹͳΔɻ
x-powered-byΛফ͢ // express var express = require(‘express'); var app =
express(); app.disable(‘x-powered-by’); ! // ͜͏͢Δ͜ͱͰ // ߈ܸऀʹόοΫΤϯυͷαʔόʔ͕Կ͔͑ͳ͍ɻ
https
جຊhttpsʹ͢Δ httpͩͱϦΫΤετϨεϙϯεͷ༰͕ฏจ ͰΠϯλʔωοπۭؒΛྲྀΕΔ ϦΫΤετղੳ͞ΕͯϢʔβʔͷॏཁͳใ ͕࿙ΕͨΒݏɻ
mozaic.fm #4 CCS ࣭ͯ͠Έͨ: Q. https͕ࠓޙओྲྀʹͳΔΜͰ͠ΐ͏͔? A. ओྲྀ͔Ͳ͏͔ͱ͔͘ɺൺ্͕͕Δͷؒҧ ͍ͳ͍ɻେखͷαʔϏε΄΅httpsʹͳ͍ͬͯͩ͘ Ζ͏
httpsͰexpress var express = require(‘express’); var https = require('https'); var
fs = require('fs'); ! var options = { key: fs.readFileSync('test/fixtures/keys/agent2-key.pem'), cert: fs.readFileSync('test/fixtures/keys/agent2-cert.pem') }; ! express.createServer(options); ! // ·͊ͰϦόʔεϓϩΩγͱ͔ͰhttpsΛhttpʹม͢Δ͜ͱͷํ͕ଟ͍͔
ϦόʔεϓϩΩγͰղܾ͢Δख͋Δ OHJOY OPEFKT IUUQ IUUQT
Denial of Service
Node.jsͷDoS γϯάϧεϨουͳͷͰ CPUෛՙ͕͔͔ΔΑ͏ͳॲཧΓۤख
JSON.parse/JSON.stringify // JSON.parse/JSON.stringifyಉظతͳॲཧ // ڊେͳJSON͕དྷΔͱͦͷparse/stringifyͷλΠϛϯάͰॲཧ͕ࢭ·Δɻ // ͳͷͰɺϦΫΤετͷίϯςϯταΠζΛݟͯͪΌΜͱ͘Α͏ʹͨ͠΄͏͕ྑ ͍ɻ ! var
length = +req[‘content-length’]; if (length > 100000) { throw new Error(“Max content size is exceeded”); } ! // ͪͳΈʹexpress/body-parser 100kb ·ͰͰσϑΥϧτ੍ݶ͞ΕͯΔɻ // ࠓ JSON.parse/stringifyʹasync͕͔͘Ͳ͏͔ݕ౼͞ΕͯΔ // https://github.com/joyent/node/issues/7543
Evil regex https://speakerdeck.com/ckarande/top-overlooked-security-threats-to-node-dot-js-web-applications ਖ਼نදݱϚονCPUίετߴ͍
Evil regex ͳΜͰਖ਼نදݱͰݕࠪ͠ͳ͍ ਖ਼نදݱΛ͏ͱ͖ϓϩͷํʹϨϏϡʔͯ͠Β͏
ͪΖΜɺ͜ͷଞʹ
• ͪΌΜͱϩάΛऔΔ • ΞΫηεղੳΛߦͬͯෆ৹ͳΞΫηε͕ͳ͍ ͔ௐΔ • ೝূ/ೝՄͷΈΛݕ౼͢Δ • ສ͕ҰDoSͰԠෆೳʹͳͬͨΒαʔϏεΛ ࠶ىಈͤ͞Δ
• Ωϟον͞Εͳ͍ྫ֎ϩάΛు͍͔ͯΒࢮ ͵Α͏ʹ͢Δɻ
ࢀߟࢿྉ https://speakerdeck.com/ckarande/top-overlooked-security-threats-to- node-dot-js-web-applications https://gist.github.com/cerebrl/6487587 http://blog.kotowicz.net/2011/03/html5-websockets-security-new-tool- for.html
ݐલฤ
ຊԻฤ
!!!!!CAUTION!!!!! ফ͠·ͨ͠
ຊԻฤ
ͳΜͰฉ͍͍ͯͩ͘͞ :D