140 Views
August 24, 19
スライド概要
2019/08/24 INTER-Mediator《大》勉強会 2019発表資料
Web Application Developer / kintone CERTIFIED App Design Specialist 2020 / kintone CERTIFIED Customization Specialist 2020
INTER-Mediator͕උ͑Δ ηΩϡϦςΟػೳ 2019/08/24 INTER-Mediatorʬେʭษڧձ 2019 দඌಞʢࣜגձࣾΤϛοΫʣ
Agenda • WebΞϓϦͰ͔ͭݟΓ͍͢੬ऑੑ • INTER-MediatorͷηΩϡϦςΟػೳ • INTER-Mediator Training Course
WebΞϓϦͰ ͔ͭݟΓ͍͢੬ऑੑ
WebΞϓϦͷ੬ऑੑΛΔ • ҆શͳΣϒαΠτͷ࡞ΓํΛࢀর https://www.ipa.go.jp/security/vuln/ websecurity.html ʢIPA ಠཱߦ๏ਓ ใॲཧਪਐߏػʣ
͔ͭݟΓ͍͢੬ऑੑ • SQLΠϯδΣΫγϣϯ • OSίϚϯυɾΠϯδΣΫγϣϯ • σΟϨΫτϦɾτϥόʔαϧ • ηογϣϯཧͷෆඋ
͔ͭݟΓ͍͢੬ऑੑ • ΫϩεαΠτɾεΫϦϓςΟϯά ʢXSSʣ • ΫϩεαΠτɾϦΫΤετɾϑΥʔδΣ ϦʢCSRFʣ • HTTPϔομɾΠϯδΣΫγϣϯ
͔ͭݟΓ͍͢੬ऑੑ • ϝʔϧϔομɾΠϯδΣΫγϣϯ • ΫϦοΫδϟοΩϯά • όοϑΝΦʔόʔϑϩʔ • ΞΫηε੍ޚೝՄ੍ޚͷܽམ
INTER-Mediatorͷ ηΩϡϦςΟػೳ
XSSରࡦ • INTER-MediatorHTMLग़ྗ࣌ʹσϑΥ ϧτͰΤεέʔϓॲཧΛߟྀ <td colspan="3" class="grayback" dataim="messageauth@message">
innerHTMLϓϩύςΟ • ্༷ΤεέʔϓॲཧΛ͠ͳ͍߹ innerHTMLϓϩύςΟʹೖ <td colspan="3" class="grayback" dataim="messageauth@message@innerHTML">
CSRFରࡦ • params.phpͰ$webServerNameΛઃఆ • σϑΥϧτͰະઃఆ • WebΞϓϦέʔγϣϯ͕Քಇ͍ͯ͠Δ ϗετͷυϝΠϯ໊͘͠FQDN ʢશम০υϝΠϯ໊ʣΛྻͰࢦఆ
CSRFରࡦ • params.phpͰͷ$webServerNameઃఆྫ $webServerName = array('intermediator.com', 'inter-mediator.info');
CSRFରࡦ • ϦΫΤετϔομʔʹX-From͓Αͼ OriginΛར༻͢Δख๏Λར༻ http://hasegawa.hatenablog.com/entry/ 20130302/p1
ΫϦοΫδϟοΩϯάରࡦ • params.phpͰ$xFrameOptionsΛઃఆ • ࡏݱͷͱ͜ΖσϑΥϧτͰະઃఆ • ઃఆྫ $xFrameOptions = 'SAMEORIGIN';
INTER-Mediatorͷೝূػೳ • ωΠςΟϒೝূ • σʔλϕʔεΤϯδϯʹΈࠐ·Εͨ ϢʔβʔΛར༻͢Δํ๏ • Ϣʔβʔೝূ • σʔλϕʔεʹ·ؚΕΔςʔϒϧ͋Δ ͍ϏϡʔΛར༻͢Δํ๏
INTER-Mediatorͷೝূػೳ • INTER-MediatorͰͷೝূΞΫηεݖઃ ఆͰϢʔβʔάϧʔϓΛ༻ • LDAPOAuth2ʹΑΔೝূʹରԠ
INTER-Mediatorͷೝূػೳ • authuserɺauthgroupɺauthcorͷͦΕͧ Εͷςʔϒϧʹه͓ͯ͘͠ͷ͕جຊ ʢωΠςΟϒೝূҎ֎ͷख๏Ͱʣ • ೝূΛνϟϨϯδ-ϨεϙϯεʹΑͬͯ ߦ͏ͨΊͷissuedhashςʔϒϧඞཁ
ೝূఆٛϑΝΠϧͰઃఆ IM_Entry( array(array( 'name' => 'chat', 'key' => 'id', 'authentication' => array('all' => array('target' => 'field-user', 'field' => 'user',),), 'protect-writing' => array( 'user' ), ),), array( 'authentication' => array( // Φϓγϣϯઃఆ 'user' => array('user1'), // ϩάΠϯՄೳͳϢʔβʔ 'group' => array('group2'), // ϩάΠϯՄೳͳάϧʔϓ ), ), array('db-class' => 'PDO'), false );
ಛఆϢʔβʔͷΈϩάΠϯ • ΦϓγϣϯઃఆͷauthenticationΩʔʹ userΩʔͷྻΛࢦఆ
ಛఆάϧʔϓͷΈϩάΠϯ • ΦϓγϣϯઃఆͷauthenticationΩʔʹ groupΩʔͷྻΛࢦఆ
Ϩίʔυ୯ҐͷΞΫηεݖ • ίϯςΩετఆٛͷauthenticationΩʔͷ ྻͷதͰɺૢ࡞໊ΛΩʔʹͨ͠ྻ ͰɺtargetΩʔͱfieldΩʔΛࢦఆ
Ϩίʔυ୯ҐͷΞΫηεݖ • targetΩʔͷ͕ʮfield-userʯͳΒfield ΩʔͰࢦఆͨ͠ϑΟʔϧυʹ͋Δ໊લ ͷϢʔβʔʹରͯ͠ݶݖΛ༩ • targetΩʔͷ͕ʮfield-groupʯͳΒfield ΩʔͰࢦఆͨ͠ϑΟʔϧυʹ͋Δ໊લ ͷάϧʔϓʹରͯ͠ݶݖΛ༩
ͦͷଞͷઃఆ߲ • params.phpͰهड़͢ΔηΩϡϦςΟؔ࿈ ͷઃఆ߲ • $contentSecurityPolicy • $generatedPrivateKey • $passwordPolicy
ৄࡉʹ͍ͭͯ • INTER-Mediator Training CourseΛࢀর • Chapter 7ʮηΩϡϦςΟͱೝূɾΞ Ϋηεݖʯ • Chapter 8ʮαʔόʔαΠυͰͷϓϩ άϥϛϯάʯ
ͦͷଞ͓͖͍ͬͯͨ͜ͱ • ҉߸Խ௨৴ͷͨΊͷSSL/TLS • HTTPͰ௨৴҉߸Խ͞Εͳ͍ • SSL/TLSΛ༗ޮԽͨ͠HTTPSΛ༻͍Δ
ৗ࣌SSL • ༻్ɾతʹԠͯ͡HTTPΛ༻Ͱͳ ͘ৗʹHTTPSͷར༻͕ਪ͞ΕΔঢ়گ • SSL/TLSΛ༗ޮʹ͢Δʹೝূ͔ہΒ SSLαʔόʔূ໌ॻΛཁߪೖ • ແྉͷূ໌ॻʢLet's Encryptʣଘࡏ
INTER-Mediator Training Course
τϨʔχϯάίʔε • INTER-Mediatorͷ։ൃख๏ΛԋशͰࣜܗ ࣗश͢Δ༗ঈͷτϨʔχϯάίʔε • ePubࣜܗͷిࢠग़൛ • INTER-Mediator-Server VMΛར༻͠ͳ ͕ΒԋशΛਐΊΒΕΔ
αʔόʔαΠυͰग़ྗௐ ʢఆٛϑΝΠϧͰͷઃఆʣ • ίϯςΩετఆٛʹextending-classΩʔ Ͱهड़ • Ϋϥε໊ʹʮ.phpʯΛ͚ͭͨϑΝΠϧ໊ ͷϑΝΠϧΛఆٛϑΝΠϧͱಉҰ֊ ʹஔ
αʔόʔαΠυͰग़ྗௐ ʢఆٛϑΝΠϧͰͷઃఆྫʣ IM_Entry( array( array( "name" => "salesitems", "view" => "items", "query" => array( array("field" => "year", "operator" => "=", "value" => "2016"), ), "extending-class" => "AdditionalProccess", ),
αʔόʔαΠυͰग़ྗௐ ʢPHPʹΑΔ֦ுྫʣ <?php class AdditionalProccess implements Extending_Interface_BeforeRead, Extending_Interface_AfterRead { public function doBeforeReadFromDB() { } public function doAfterReadFromDB($result) { /* ͜͜ʹಠࣗͷॲཧΛهड़ */ return $result; } }
αʔόʔαΠυͰग़ྗௐ • ৄࡉINTER-Mediator Training Courseͷ Chapter 8ʮαʔόʔαΠυͰͷϓϩά ϥϛϯάʯΛࢀর
·ͱΊ
·ͱΊ • WebΞϓϦέʔγϣϯͷ੬ऑੑΛͳ ͘͢ҰൠతͳղܾࡦΛΔ • ϑϨʔϜϫʔΫ͕ఏ͢ڙΔηΩϡϦςΟ ػೳͱલఏ݅ΛѲ͢Δ • σʔλϕʔειϑτΣΞ͕උ͑Δη ΩϡϦςΟػೳΛཧղ͢Δ