Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Node.js のセキュリティの話
Search
Yosuke Furukawa
PRO
June 14, 2014
Programming
18
10k
Node.js のセキュリティの話
Production (セキュリティ編)ということで疎かになりがちなセキュリティの話
Yosuke Furukawa
PRO
June 14, 2014
Tweet
Share
More Decks by Yosuke Furukawa
See All by Yosuke Furukawa
Welcome JSConf.jp 2024
yosuke_furukawa
PRO
1
3.8k
tc39 x jsconf.jp Panel Discussion 2024
yosuke_furukawa
PRO
0
190
Removing Corepack
yosuke_furukawa
PRO
9
1.5k
JavaScript Runtime とはなにか
yosuke_furukawa
PRO
15
2.6k
Strip Types と Storage
yosuke_furukawa
PRO
4
370
Module Harmony について
yosuke_furukawa
PRO
3
1.6k
LTのやり方
yosuke_furukawa
PRO
16
2.4k
AppRouter Panel Talk
yosuke_furukawa
PRO
3
750
Node.js v22 で変わること
yosuke_furukawa
PRO
13
5.8k
Other Decks in Programming
See All in Programming
pylint custom ruleで始めるレビュー自動化
shogoujiie
0
150
Code smarter, not harder - How AI Coding Tools Boost Your Productivity | Angular Meetup Berlin
danielsogl
0
100
推しメソッドsource_locationのしくみを探る - はじめてRubyのコードを読んでみた
nobu09
2
140
Jakarta EE meets AI
ivargrimstad
0
260
PEPCは何を変えようとしていたのか
ken7253
2
140
15分で学ぶDuckDBの可愛い使い方 DuckDBの最近の更新
notrogue
2
410
Djangoにおける複数ユーザー種別認証の設計アプローチ@DjangoCongress JP 2025
delhi09
PRO
4
460
CI改善もDatadogとともに
taumu
0
190
Ruby on cygwin 2025-02
fd0
0
180
PHPのバージョンアップ時にも役立ったAST
matsuo_atsushi
0
220
sappoRo.R #12 初心者セッション
kosugitti
0
270
CSS Linter による Baseline サポートの仕組み
ryo_manba
1
150
Featured
See All Featured
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
40
2k
KATA
mclloyd
29
14k
GraphQLとの向き合い方2022年版
quramy
44
14k
Visualization
eitanlees
146
15k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
12
990
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
49
2.3k
Gamification - CAS2011
davidbonilla
80
5.2k
Reflections from 52 weeks, 52 projects
jeffersonlam
348
20k
Done Done
chrislema
182
16k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
Java REST API Framework Comparison - PWX 2021
mraible
29
8.4k
GraphQLの誤解/rethinking-graphql
sonatard
68
10k
Transcript
Node.jsͷݐલͱຊԻ @yosuke_furukawa
@yosuke_furukawa Node.jsϢʔβʔάϧʔϓද / DeNAॴଐ
։࠵༧ఆΠϕϯτ: 6/23 : ౦ژNodeֶԂ13࣌ݶ 7/3 : socket.io meetup 7/11 :
ఱԼҰΫϥΠΞϯταΠυJSϑϨʔϜϫʔΫಆձ
։࠵༧ఆΠϕϯτ: 6/23 : ౦ژNodeֶԂ13࣌ݶ 7/3 : socket.io meetup 7/11 :
ఱԼҰΫϥΠΞϯταΠυJSϑϨʔϜϫʔΫಆձ ʊਓਓਓਓਓਓਓʊ ʼɹશ෦౦ژʂʂɹʻ ʉ:?:?:?:?:?:?:ʉ
ࣄͰͬͯΔ͜ͱ 1. WebήʔϜ࡞ͬͨΓ 2. ϥΠϒϥϦ࡞ͬͨΓ 3. ։ൃϝϯόʔͷޚ༻ฉ͖ ΠϯϑϥपΓଟগޱΛग़͢ɺαʔόαΠυΤϯδχΞɺ Backbone +
marionetteͰ։ൃͯͯ͠ΫϥΠΞϯταΠυͬͯΔ ͍ΘΏΔϑϧελοΫ(স)ΤϯδχΞ
ݐલ×ຊԻ
ݐલฤ
Productionʹ͢Δ࣌ʹͬͨ ΄͏͕ྑ͍͜ͱ(securityฤ)
Don’t run as root
Α͋͘ΔγνϡΤʔγϣϯ port൪߸Λ80/443Ͱ͍͔͋͛ͨΒɺͱ͍ͬͯ rootͰىಈ͢Δͷྑ͘ͳ͍ɻ
WebΞϓϦαʔόʔ WebΞϓϦαʔόʔ ඞཁҎ্ͷݖݶΛ༩͑Δ͖͡Όͳ͍ɻ ສ͕Ұ fs.unlink Λ࣮ߦ͞ΕͪΌͬͨΒ? ͦΕҎ֎ʹຊདྷಡΊͳ͍ϑΝΠϧ͕ fs.readFileͰಡΊͪΌͬͨΒ??
Cross Site Request Forgery
Α͋͘ΔγνϡΤʔγϣϯ ࣗͷαʔόʔ͔Β֎෦ͷαʔόʔΛ౿·͞ Εͯɺ֎෦αʔόʔ͔ΒউखʹϦΫΤετ͕ ൃߦ͞ΕΔɻ
csrfରࡦ (tokenํࣜ) // express var express = require(‘express'); var csrf
= require(‘csurf'); ! var app = express(); app.use(csrf()); ! ! // html ͷ form xhr Ͱ ϦΫΤετͷதʹ tokenΛೖΕͯૹΔ <input type=“hidden” name=“_csrf” value=“{{csrftoken}}”>
csrfରࡦ (xhr͔Ͳ͏͔Λ֬ೝ͢Δ) // express var express = require(‘express'); ! var
app = express(); app.use(function(req, res){ if (req.xhr) { // => X-Requested-With ͕͍ͭͯΔͱreq.xhrtrue // xhrsame origin policy͕ద༻͞ΕΔͨΊɺผυϝΠϯ͔Β // ϦΫΤετൃߦͰ͖ͳ͍ } // … }); !
XSSରࡦ
Α͋͘ΔγνϡΤʔγϣϯ socket.ioͱ͔ͰσʔλΛchatͰΓͱΓ chatʹhtml͕ॻ͚Δͱҙͷjavascript Λ࣮ߦ͞Εͯ͠·͏ɻ
tweetdeck ͞Μ……
αχλΠζ var validator = require(‘validator'); ! socket.on(“message”, function(data){ // <script>alert(“hoge”);</script>
// <script>alert("hoge");</script> validator.escape(data); });
secure session app.use(express.session({ secret: “dontusethisone", cookie: { // ສ͕ҰXSS͕ൃੜͯ͠javascript͔Β //
cookieΛऔΕͳ͍Α͏ʹ͢Δ httpOnly: true, secure: true }, }));
disable x-powered-by
Α͋͘ΔγνϡΤʔγϣϯ ߈ܸऀͷཱ͔Β͢ΔͱେମόοΫΤϯυͷαʔ ό/ϦόʔεϓϩΩγ͕Կ͔Λ࠷ॳʹ֬ೝ͢Δɻ x-powered-by߈ܸऀʹͱͬͯ߈ܸͷώϯ τΛ༩͑ΔࣄʹͳΔɻ
x-powered-byΛফ͢ // express var express = require(‘express'); var app =
express(); app.disable(‘x-powered-by’); ! // ͜͏͢Δ͜ͱͰ // ߈ܸऀʹόοΫΤϯυͷαʔόʔ͕Կ͔͑ͳ͍ɻ
https
جຊhttpsʹ͢Δ httpͩͱϦΫΤετϨεϙϯεͷ༰͕ฏจ ͰΠϯλʔωοπۭؒΛྲྀΕΔ ϦΫΤετղੳ͞ΕͯϢʔβʔͷॏཁͳใ ͕࿙ΕͨΒݏɻ
mozaic.fm #4 CCS ࣭ͯ͠Έͨ: Q. https͕ࠓޙओྲྀʹͳΔΜͰ͠ΐ͏͔? A. ओྲྀ͔Ͳ͏͔ͱ͔͘ɺൺ্͕͕Δͷؒҧ ͍ͳ͍ɻେखͷαʔϏε΄΅httpsʹͳ͍ͬͯͩ͘ Ζ͏
httpsͰexpress var express = require(‘express’); var https = require('https'); var
fs = require('fs'); ! var options = { key: fs.readFileSync('test/fixtures/keys/agent2-key.pem'), cert: fs.readFileSync('test/fixtures/keys/agent2-cert.pem') }; ! express.createServer(options); ! // ·͊ͰϦόʔεϓϩΩγͱ͔ͰhttpsΛhttpʹม͢Δ͜ͱͷํ͕ଟ͍͔
ϦόʔεϓϩΩγͰղܾ͢Δख͋Δ OHJOY OPEFKT IUUQ IUUQT
Denial of Service
Node.jsͷDoS γϯάϧεϨουͳͷͰ CPUෛՙ͕͔͔ΔΑ͏ͳॲཧΓۤख
JSON.parse/JSON.stringify // JSON.parse/JSON.stringifyಉظతͳॲཧ // ڊେͳJSON͕དྷΔͱͦͷparse/stringifyͷλΠϛϯάͰॲཧ͕ࢭ·Δɻ // ͳͷͰɺϦΫΤετͷίϯςϯταΠζΛݟͯͪΌΜͱ͘Α͏ʹͨ͠΄͏͕ྑ ͍ɻ ! var
length = +req[‘content-length’]; if (length > 100000) { throw new Error(“Max content size is exceeded”); } ! // ͪͳΈʹexpress/body-parser 100kb ·ͰͰσϑΥϧτ੍ݶ͞ΕͯΔɻ // ࠓ JSON.parse/stringifyʹasync͕͔͘Ͳ͏͔ݕ౼͞ΕͯΔ // https://github.com/joyent/node/issues/7543
Evil regex https://speakerdeck.com/ckarande/top-overlooked-security-threats-to-node-dot-js-web-applications ਖ਼نදݱϚονCPUίετߴ͍
Evil regex ͳΜͰਖ਼نදݱͰݕࠪ͠ͳ͍ ਖ਼نදݱΛ͏ͱ͖ϓϩͷํʹϨϏϡʔͯ͠Β͏
ͪΖΜɺ͜ͷଞʹ
• ͪΌΜͱϩάΛऔΔ • ΞΫηεղੳΛߦͬͯෆ৹ͳΞΫηε͕ͳ͍ ͔ௐΔ • ೝূ/ೝՄͷΈΛݕ౼͢Δ • ສ͕ҰDoSͰԠෆೳʹͳͬͨΒαʔϏεΛ ࠶ىಈͤ͞Δ
• Ωϟον͞Εͳ͍ྫ֎ϩάΛు͍͔ͯΒࢮ ͵Α͏ʹ͢Δɻ
ࢀߟࢿྉ https://speakerdeck.com/ckarande/top-overlooked-security-threats-to- node-dot-js-web-applications https://gist.github.com/cerebrl/6487587 http://blog.kotowicz.net/2011/03/html5-websockets-security-new-tool- for.html
ݐલฤ
ຊԻฤ
!!!!!CAUTION!!!!! ফ͠·ͨ͠
ຊԻฤ
ͳΜͰฉ͍͍ͯͩ͘͞ :D