Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Node.js のセキュリティの話
Search
Yosuke Furukawa
PRO
June 14, 2014
Programming
18
10k
Node.js のセキュリティの話
Production (セキュリティ編)ということで疎かになりがちなセキュリティの話
Yosuke Furukawa
PRO
June 14, 2014
Tweet
Share
More Decks by Yosuke Furukawa
See All by Yosuke Furukawa
Welcome JSConf.jp 2024
yosuke_furukawa
PRO
1
3.8k
tc39 x jsconf.jp Panel Discussion 2024
yosuke_furukawa
PRO
0
190
Removing Corepack
yosuke_furukawa
PRO
9
1.5k
JavaScript Runtime とはなにか
yosuke_furukawa
PRO
15
2.6k
Strip Types と Storage
yosuke_furukawa
PRO
4
370
Module Harmony について
yosuke_furukawa
PRO
3
1.6k
LTのやり方
yosuke_furukawa
PRO
16
2.4k
AppRouter Panel Talk
yosuke_furukawa
PRO
3
750
Node.js v22 で変わること
yosuke_furukawa
PRO
13
5.8k
Other Decks in Programming
See All in Programming
CDK開発におけるコーディング規約の運用
yamanashi_ren01
2
250
sappoRo.R #12 初心者セッション
kosugitti
0
280
CI改善もDatadogとともに
taumu
0
200
データの整合性を保つ非同期処理アーキテクチャパターン / Async Architecture Patterns
mokuo
54
19k
CDKを使ったPagerDuty連携インフラのテンプレート化
shibuya_shogo
0
110
Django NinjaによるAPI開発の効率化とリプレースの実践
kashewnuts
1
250
CloudNativePGを布教したい
nnaka2992
0
110
Flutter × Firebase Genkit で加速する生成 AI アプリ開発
coborinai
0
170
15分で学ぶDuckDBの可愛い使い方 DuckDBの最近の更新
notrogue
3
520
DRFを少しずつ オニオンアーキテクチャに寄せていく DjangoCongress JP 2025
nealle
2
270
Honoのおもしろいミドルウェアをみてみよう
yusukebe
1
230
メンテが命: PHPフレームワークのコンテナ化とアップグレード戦略
shunta27
0
300
Featured
See All Featured
Navigating Team Friction
lara
183
15k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
59k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Code Reviewing Like a Champion
maltzj
521
39k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
KATA
mclloyd
29
14k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.3k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Being A Developer After 40
akosma
89
590k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Bash Introduction
62gerente
611
210k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
Transcript
Node.jsͷݐલͱຊԻ @yosuke_furukawa
@yosuke_furukawa Node.jsϢʔβʔάϧʔϓද / DeNAॴଐ
։࠵༧ఆΠϕϯτ: 6/23 : ౦ژNodeֶԂ13࣌ݶ 7/3 : socket.io meetup 7/11 :
ఱԼҰΫϥΠΞϯταΠυJSϑϨʔϜϫʔΫಆձ
։࠵༧ఆΠϕϯτ: 6/23 : ౦ژNodeֶԂ13࣌ݶ 7/3 : socket.io meetup 7/11 :
ఱԼҰΫϥΠΞϯταΠυJSϑϨʔϜϫʔΫಆձ ʊਓਓਓਓਓਓਓʊ ʼɹશ෦౦ژʂʂɹʻ ʉ:?:?:?:?:?:?:ʉ
ࣄͰͬͯΔ͜ͱ 1. WebήʔϜ࡞ͬͨΓ 2. ϥΠϒϥϦ࡞ͬͨΓ 3. ։ൃϝϯόʔͷޚ༻ฉ͖ ΠϯϑϥपΓଟগޱΛग़͢ɺαʔόαΠυΤϯδχΞɺ Backbone +
marionetteͰ։ൃͯͯ͠ΫϥΠΞϯταΠυͬͯΔ ͍ΘΏΔϑϧελοΫ(স)ΤϯδχΞ
ݐલ×ຊԻ
ݐલฤ
Productionʹ͢Δ࣌ʹͬͨ ΄͏͕ྑ͍͜ͱ(securityฤ)
Don’t run as root
Α͋͘ΔγνϡΤʔγϣϯ port൪߸Λ80/443Ͱ͍͔͋͛ͨΒɺͱ͍ͬͯ rootͰىಈ͢Δͷྑ͘ͳ͍ɻ
WebΞϓϦαʔόʔ WebΞϓϦαʔόʔ ඞཁҎ্ͷݖݶΛ༩͑Δ͖͡Όͳ͍ɻ ສ͕Ұ fs.unlink Λ࣮ߦ͞ΕͪΌͬͨΒ? ͦΕҎ֎ʹຊདྷಡΊͳ͍ϑΝΠϧ͕ fs.readFileͰಡΊͪΌͬͨΒ??
Cross Site Request Forgery
Α͋͘ΔγνϡΤʔγϣϯ ࣗͷαʔόʔ͔Β֎෦ͷαʔόʔΛ౿·͞ Εͯɺ֎෦αʔόʔ͔ΒউखʹϦΫΤετ͕ ൃߦ͞ΕΔɻ
csrfରࡦ (tokenํࣜ) // express var express = require(‘express'); var csrf
= require(‘csurf'); ! var app = express(); app.use(csrf()); ! ! // html ͷ form xhr Ͱ ϦΫΤετͷதʹ tokenΛೖΕͯૹΔ <input type=“hidden” name=“_csrf” value=“{{csrftoken}}”>
csrfରࡦ (xhr͔Ͳ͏͔Λ֬ೝ͢Δ) // express var express = require(‘express'); ! var
app = express(); app.use(function(req, res){ if (req.xhr) { // => X-Requested-With ͕͍ͭͯΔͱreq.xhrtrue // xhrsame origin policy͕ద༻͞ΕΔͨΊɺผυϝΠϯ͔Β // ϦΫΤετൃߦͰ͖ͳ͍ } // … }); !
XSSରࡦ
Α͋͘ΔγνϡΤʔγϣϯ socket.ioͱ͔ͰσʔλΛchatͰΓͱΓ chatʹhtml͕ॻ͚Δͱҙͷjavascript Λ࣮ߦ͞Εͯ͠·͏ɻ
tweetdeck ͞Μ……
αχλΠζ var validator = require(‘validator'); ! socket.on(“message”, function(data){ // <script>alert(“hoge”);</script>
// <script>alert("hoge");</script> validator.escape(data); });
secure session app.use(express.session({ secret: “dontusethisone", cookie: { // ສ͕ҰXSS͕ൃੜͯ͠javascript͔Β //
cookieΛऔΕͳ͍Α͏ʹ͢Δ httpOnly: true, secure: true }, }));
disable x-powered-by
Α͋͘ΔγνϡΤʔγϣϯ ߈ܸऀͷཱ͔Β͢ΔͱେମόοΫΤϯυͷαʔ ό/ϦόʔεϓϩΩγ͕Կ͔Λ࠷ॳʹ֬ೝ͢Δɻ x-powered-by߈ܸऀʹͱͬͯ߈ܸͷώϯ τΛ༩͑ΔࣄʹͳΔɻ
x-powered-byΛফ͢ // express var express = require(‘express'); var app =
express(); app.disable(‘x-powered-by’); ! // ͜͏͢Δ͜ͱͰ // ߈ܸऀʹόοΫΤϯυͷαʔόʔ͕Կ͔͑ͳ͍ɻ
https
جຊhttpsʹ͢Δ httpͩͱϦΫΤετϨεϙϯεͷ༰͕ฏจ ͰΠϯλʔωοπۭؒΛྲྀΕΔ ϦΫΤετղੳ͞ΕͯϢʔβʔͷॏཁͳใ ͕࿙ΕͨΒݏɻ
mozaic.fm #4 CCS ࣭ͯ͠Έͨ: Q. https͕ࠓޙओྲྀʹͳΔΜͰ͠ΐ͏͔? A. ओྲྀ͔Ͳ͏͔ͱ͔͘ɺൺ্͕͕Δͷؒҧ ͍ͳ͍ɻେखͷαʔϏε΄΅httpsʹͳ͍ͬͯͩ͘ Ζ͏
httpsͰexpress var express = require(‘express’); var https = require('https'); var
fs = require('fs'); ! var options = { key: fs.readFileSync('test/fixtures/keys/agent2-key.pem'), cert: fs.readFileSync('test/fixtures/keys/agent2-cert.pem') }; ! express.createServer(options); ! // ·͊ͰϦόʔεϓϩΩγͱ͔ͰhttpsΛhttpʹม͢Δ͜ͱͷํ͕ଟ͍͔
ϦόʔεϓϩΩγͰղܾ͢Δख͋Δ OHJOY OPEFKT IUUQ IUUQT
Denial of Service
Node.jsͷDoS γϯάϧεϨουͳͷͰ CPUෛՙ͕͔͔ΔΑ͏ͳॲཧΓۤख
JSON.parse/JSON.stringify // JSON.parse/JSON.stringifyಉظతͳॲཧ // ڊେͳJSON͕དྷΔͱͦͷparse/stringifyͷλΠϛϯάͰॲཧ͕ࢭ·Δɻ // ͳͷͰɺϦΫΤετͷίϯςϯταΠζΛݟͯͪΌΜͱ͘Α͏ʹͨ͠΄͏͕ྑ ͍ɻ ! var
length = +req[‘content-length’]; if (length > 100000) { throw new Error(“Max content size is exceeded”); } ! // ͪͳΈʹexpress/body-parser 100kb ·ͰͰσϑΥϧτ੍ݶ͞ΕͯΔɻ // ࠓ JSON.parse/stringifyʹasync͕͔͘Ͳ͏͔ݕ౼͞ΕͯΔ // https://github.com/joyent/node/issues/7543
Evil regex https://speakerdeck.com/ckarande/top-overlooked-security-threats-to-node-dot-js-web-applications ਖ਼نදݱϚονCPUίετߴ͍
Evil regex ͳΜͰਖ਼نදݱͰݕࠪ͠ͳ͍ ਖ਼نදݱΛ͏ͱ͖ϓϩͷํʹϨϏϡʔͯ͠Β͏
ͪΖΜɺ͜ͷଞʹ
• ͪΌΜͱϩάΛऔΔ • ΞΫηεղੳΛߦͬͯෆ৹ͳΞΫηε͕ͳ͍ ͔ௐΔ • ೝূ/ೝՄͷΈΛݕ౼͢Δ • ສ͕ҰDoSͰԠෆೳʹͳͬͨΒαʔϏεΛ ࠶ىಈͤ͞Δ
• Ωϟον͞Εͳ͍ྫ֎ϩάΛు͍͔ͯΒࢮ ͵Α͏ʹ͢Δɻ
ࢀߟࢿྉ https://speakerdeck.com/ckarande/top-overlooked-security-threats-to- node-dot-js-web-applications https://gist.github.com/cerebrl/6487587 http://blog.kotowicz.net/2011/03/html5-websockets-security-new-tool- for.html
ݐલฤ
ຊԻฤ
!!!!!CAUTION!!!!! ফ͠·ͨ͠
ຊԻฤ
ͳΜͰฉ͍͍ͯͩ͘͞ :D