INTER-Mediatorが備えるセキュリティ機能

INTER-Mediator͕උ͑Δ ηΩϡϦςΟ‫ػ‬ೳ 2019/08/24 INTER-Mediatorʬେʭษ‫ڧ‬ձ 2019 দඌಞʢ‫ࣜג‬ձࣾΤϛοΫʣ

Agenda • WebΞϓϦͰ‫͔ͭݟ‬Γ΍͍͢੬ऑੑ • INTER-MediatorͷηΩϡϦςΟ‫ػ‬ೳ • INTER-Mediator Training Course

WebΞϓϦͰ ‫͔ͭݟ‬Γ΍͍͢੬ऑੑ

WebΞϓϦͷ੬ऑੑΛ஌Δ • ҆શͳ΢ΣϒαΠτͷ࡞ΓํΛࢀর https://www.ipa.go.jp/security/vuln/ websecurity.html ʢIPA ಠཱߦ੓๏ਓ ৘ใॲཧਪਐ‫ߏػ‬ʣ

• https://www.ipa.go.jp/security/vuln/websecurity.html

‫͔ͭݟ‬Γ΍͍͢੬ऑੑ • SQLΠϯδΣΫγϣϯ • OSίϚϯυɾΠϯδΣΫγϣϯ • σΟϨΫτϦɾτϥόʔαϧ • ηογϣϯ؅ཧͷෆඋ

‫͔ͭݟ‬Γ΍͍͢੬ऑੑ • ΫϩεαΠτɾεΫϦϓςΟϯά ʢXSSʣ • ΫϩεαΠτɾϦΫΤετɾϑΥʔδΣ ϦʢCSRFʣ • HTTPϔομɾΠϯδΣΫγϣϯ

‫͔ͭݟ‬Γ΍͍͢੬ऑੑ • ϝʔϧϔομɾΠϯδΣΫγϣϯ • ΫϦοΫδϟοΩϯά • όοϑΝΦʔόʔϑϩʔ • ΞΫηε੍‫ޚ‬΍ೝՄ੍‫ޚ‬ͷܽམ

INTER-Mediatorͷ ηΩϡϦςΟ‫ػ‬ೳ

XSSରࡦ • INTER-Mediator͸HTMLग़ྗ࣌ʹσϑΥ ϧτͰΤεέʔϓॲཧΛߟྀ <td colspan="3" class="grayback" dataim="messageauth@message">

innerHTMLϓϩύςΟ • ࢓্༷ΤεέʔϓॲཧΛ͠ͳ͍৔߹͸ innerHTMLϓϩύςΟʹ୅ೖ <td colspan="3" class="grayback" dataim="messageauth@message@innerHTML">

CSRFରࡦ • params.phpͰ$webServerNameΛઃఆ • σϑΥϧτͰ͸ະઃఆ • WebΞϓϦέʔγϣϯ͕Քಇ͍ͯ͠Δ ϗετͷυϝΠϯ໊΋͘͠͸FQDN ʢ‫׬‬શम০υϝΠϯ໊ʣΛ഑ྻͰࢦఆ

CSRFରࡦ • params.phpͰͷ$webServerNameઃఆྫ $webServerName = array('intermediator.com', 'inter-mediator.info');

CSRFରࡦ • ϦΫΤετϔομʔʹX-From͓Αͼ OriginΛར༻͢Δख๏Λར༻ http://hasegawa.hatenablog.com/entry/ 20130302/p1

• http://hasegawa.hatenablog.com/entry/

ΫϦοΫδϟοΩϯάରࡦ • params.phpͰ$xFrameOptionsΛઃఆ • ‫ࡏݱ‬ͷͱ͜ΖσϑΥϧτͰ͸ະઃఆ • ઃఆྫ $xFrameOptions = 'SAMEORIGIN';

INTER-Mediatorͷೝূ‫ػ‬ೳ • ωΠςΟϒೝূ • σʔλϕʔεΤϯδϯʹ૊Έࠐ·Εͨ ϢʔβʔΛར༻͢Δํ๏ • Ϣʔβʔೝূ • σʔλϕʔεʹ‫·ؚ‬ΕΔςʔϒϧ͋Δ ͍͸ϏϡʔΛར༻͢Δํ๏

INTER-Mediatorͷೝূ‫ػ‬ೳ • INTER-MediatorͰͷೝূ΍ΞΫηε‫ݖ‬ઃ ఆͰ͸Ϣʔβʔ΍άϧʔϓΛ࢖༻ • LDAP΍OAuth2ʹΑΔೝূʹ΋ରԠ

INTER-Mediatorͷೝূ‫ػ‬ೳ • authuserɺauthgroupɺauthcorͷͦΕͧ Εͷςʔϒϧʹ‫ه‬࿥͓ͯ͘͠ͷ͕‫ج‬ຊ ʢωΠςΟϒೝূҎ֎ͷख๏Ͱ͸ʣ • ೝূΛνϟϨϯδ-ϨεϙϯεʹΑͬͯ ߦ͏ͨΊͷissuedhashςʔϒϧ΋ඞཁ

ೝূ͸ఆٛϑΝΠϧͰઃఆ IM_Entry( array(array( 'name' => 'chat', 'key' => 'id', 'authentication' => array('all' => array('target' => 'field-user', 'field' => 'user',),), 'protect-writing' => array( 'user' ), ),), array( 'authentication' => array( // Φϓγϣϯઃఆ 'user' => array('user1'), // ϩάΠϯՄೳͳϢʔβʔ 'group' => array('group2'), // ϩάΠϯՄೳͳάϧʔϓ ), ), array('db-class' => 'PDO'), false );

ಛఆϢʔβʔͷΈϩάΠϯ • ΦϓγϣϯઃఆͷauthenticationΩʔʹ userΩʔͷ഑ྻΛࢦఆ

ಛఆάϧʔϓͷΈϩάΠϯ • ΦϓγϣϯઃఆͷauthenticationΩʔʹ groupΩʔͷ഑ྻΛࢦఆ

Ϩίʔυ୯ҐͷΞΫηε‫ݖ‬ • ίϯςΩετఆٛͷauthenticationΩʔͷ ഑ྻͷதͰɺૢ࡞໊ΛΩʔʹͨ͠഑ྻ ͰɺtargetΩʔͱfieldΩʔΛࢦఆ

Ϩίʔυ୯ҐͷΞΫηε‫ݖ‬ • targetΩʔͷ஋͕ʮfield-userʯͳΒfield ΩʔͰࢦఆͨ͠ϑΟʔϧυʹ͋Δ໊લ ͷϢʔβʔʹରͯ͠‫ݶݖ‬Λ෇༩ • targetΩʔͷ஋͕ʮfield-groupʯͳΒfield ΩʔͰࢦఆͨ͠ϑΟʔϧυʹ͋Δ໊લ ͷάϧʔϓʹରͯ͠‫ݶݖ‬Λ෇༩

ͦͷଞͷઃఆ߲໨ • params.phpͰ‫ه‬ड़͢ΔηΩϡϦςΟؔ࿈ ͷઃఆ߲໨ • $contentSecurityPolicy • $generatedPrivateKey • $passwordPolicy

ৄࡉʹ͍ͭͯ͸ • INTER-Mediator Training CourseΛࢀর • Chapter 7ʮηΩϡϦςΟͱೝূɾΞ Ϋηε‫ݖ‬ʯ • Chapter 8ʮαʔόʔαΠυͰͷϓϩ άϥϛϯάʯ

ͦͷଞ஌͓͖͍ͬͯͨ͜ͱ • ҉߸Խ௨৴ͷͨΊͷSSL/TLS • HTTPͰ͸௨৴͸҉߸Խ͞Εͳ͍ • SSL/TLSΛ༗ޮԽͨ͠HTTPSΛ༻͍Δ

ৗ࣌SSL • ༻్ɾ໨తʹԠͯ͡HTTPΛ࢖༻Ͱ͸ͳ ͘ৗʹHTTPSͷར༻͕ਪ঑͞ΕΔঢ়‫گ‬ • SSL/TLSΛ༗ޮʹ͢Δʹ͸ೝূ‫͔ہ‬Β SSLαʔόʔূ໌ॻΛཁߪೖ • ແྉͷূ໌ॻʢLet's Encryptʣ΋ଘࡏ

INTER-Mediator Training Course

τϨʔχϯάίʔε • INTER-Mediatorͷ։ൃख๏Λԋश‫Ͱࣜܗ‬ ࣗश͢Δ༗ঈͷτϨʔχϯάίʔε • ePub‫ࣜܗ‬ͷిࢠग़൛෺ • INTER-Mediator-Server VMΛར༻͠ͳ ͕ΒԋशΛਐΊΒΕΔ

αʔόʔαΠυͰग़ྗௐ੔ ʢఆٛϑΝΠϧͰͷઃఆʣ • ίϯςΩετఆٛʹextending-classΩʔ Ͱ‫ه‬ड़ • Ϋϥε໊ʹʮ.phpʯΛ͚ͭͨϑΝΠϧ໊ ͷϑΝΠϧΛఆٛϑΝΠϧͱಉҰ֊૚ ʹ഑ஔ

αʔόʔαΠυͰग़ྗௐ੔ ʢఆٛϑΝΠϧͰͷઃఆྫʣ IM_Entry( array( array( "name" => "salesitems", "view" => "items", "query" => array( array("field" => "year", "operator" => "=", "value" => "2016"), ), "extending-class" => "AdditionalProccess", ),

αʔόʔαΠυͰग़ྗௐ੔ ʢPHPʹΑΔ֦ுྫʣ <?php class AdditionalProccess implements Extending_Interface_BeforeRead, Extending_Interface_AfterRead { public function doBeforeReadFromDB() { } public function doAfterReadFromDB($result) { /* ͜͜ʹಠࣗͷॲཧΛ‫ه‬ड़ */ return $result; } }

αʔόʔαΠυͰग़ྗௐ੔ • ৄࡉ͸INTER-Mediator Training Courseͷ Chapter 8ʮαʔόʔαΠυͰͷϓϩά ϥϛϯάʯΛࢀর

·ͱΊ

·ͱΊ • WebΞϓϦέʔγϣϯͷ੬ऑੑΛͳ ͘͢ҰൠతͳղܾࡦΛ஌Δ • ϑϨʔϜϫʔΫ͕ఏ‫͢ڙ‬ΔηΩϡϦςΟ ‫ػ‬ೳͱલఏ৚݅Λ೺Ѳ͢Δ • σʔλϕʔειϑτ΢ΣΞ͕උ͑Δη ΩϡϦςΟ‫ػ‬ೳΛཧղ͢Δ