Node.js security
1 like544 views
Документ содержит информацию о безопасности приложений на Node.js, включая уязвимости, такие как SQL-инъекции и XSS, а также инструменты для их обнаружения, например, eslint и npm audit. Он обсуждает конкурентную модель исполнения, особенности управления состоянием и подключения к базе данных. Также представлены рекомендации по повышению безопасности, включая использование CSP и безопасных HTTP-заголовков.
![const fs = require('fs'); const compose = (...funcs) => x => funcs.
reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab
table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma
=> (row.map((cell, i) => { const width = cellWidth[i]; return i ? c
toString().padStart(width) : cell.padEnd(width); }).join(''))).join
}; const proportion = (max, val) => Math.round(val * 100 / max); co
calcProportion = table => { table.sort((row1, row2) => row2[DENSITY
row1[DENSITY_COL]); const maxDensity = table[0][DENSITY_COL]; table
forEach(row => { row.push(proportion(maxDensity, row[DENSITY_COL]))
return table; }; const getDataset = file => { const lines = fs.read
FileSync(file, 'utf8').toString().split('n'); lines.shift(); lines
return lines.map(line => line.split(',')); }; const main = compose
(getDataset, calcProportion, renderTable); const fs = require('fs'
compose = (...funcs) => x => funcs.reduce((x, fn) => fn(x), x); con
DENSITY_COL = 3; const renderTable = table => { const cellWidth = [
8, 8, 18, 6]; return table.map(row => (row.map((cell, i) => { const
= cellWidth[i]; return i ? cell.toString().padStart(width) : cell.p
(width); }).join(''))).join('n'); }; const proportion = (max, val)
Безопасность
приложений Node.js
Тимур Шемсединов
github.com/HowProgrammingWorks
github.com/tshemsedinov
Chief Software Architect at Metarhia
Lecturer at Kiev Polytechnic Institute](https://image.slidesharecdn.com/node-191128205315/85/Node-js-security-1-320.jpg)
![const fs = require('fs'); const compose = (...funcs) => x => funcs.
reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab
table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma
=> (row.map((cell, i) => { const width = cellWidth[i]; return i ? c
Аспекты безопасности для Node.js
● Конкурентная модель исполнения I/O
● Уязвимости path traversal повсюду
● SQL injection, XSRF, XSS и другие типичные
● Зависимости: загляните в node_modules
● Утечки ресурсов (приводящие к падению)
● Храним только хеши паролей с солью
● Управляем нагрузкой, иначе встречаем DoS](https://image.slidesharecdn.com/node-191128205315/85/Node-js-security-2-320.jpg)
![const fs = require('fs'); const compose = (...funcs) => x => funcs.
reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab
table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma
=> (row.map((cell, i) => { const width = cellWidth[i]; return i ? c
Инструменты безопасности для Node.js
● Линтер может кое-что найти
github.com/nodesecurity/eslint-plugin-security
● Умеет искать npm audit и даже исправлять
через npm audit fix
● Специальные инструменты: nsp, snyk
● Githib имеет встроенный Security Alert](https://image.slidesharecdn.com/node-191128205315/85/Node-js-security-3-320.jpg)
![const fs = require('fs'); const compose = (...funcs) => x => funcs.
reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab
table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma
=> (row.map((cell, i) => { const width = cellWidth[i]; return i ? c
Конкурентная модель
● В одном процессе и одном потоке
выполняется одновременно много запросов
● Все данные в памяти у них общие
● Права у процесса общие
● Переменные окружения и конфиги общие
● Соединения с БД, зависимости и сеть общие
● Падает тоже процесс целиком](https://image.slidesharecdn.com/node-191128205315/85/Node-js-security-4-320.jpg)
![const fs = require('fs'); const compose = (...funcs) => x => funcs.
reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab
table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma
=> (row.map((cell, i) => { const width = cellWidth[i]; return i ? c
Глобальное состояние
let groupName;
app.use((req, res, next) => {
groupName = 'idiots'; next();
});
app.get('/user', (req, res) => {
if (res.groupName === 'idiots') {
res.end('I know you!');
}
});](https://image.slidesharecdn.com/node-191128205315/85/Node-js-security-5-320.jpg)
![const fs = require('fs'); const compose = (...funcs) => x => funcs.
reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab
table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma
=> (row.map((cell, i) => { const width = cellWidth[i]; return i ? c
Миксины к req и res
app.use((req, res, next) => {
res.groupName = 'idiots';
next();
});
app.get('/user', (req, res) => {
if (res.groupName === 'idiots') {
res.end('I know you!');
}
});](https://image.slidesharecdn.com/node-191128205315/85/Node-js-security-6-320.jpg)
![const fs = require('fs'); const compose = (...funcs) => x => funcs.
reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab
table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma
=> (row.map((cell, i) => { const width = cellWidth[i]; return i ? c
Специальное место res.locals
app.use((req, res, next) => {
res.locals.groupName = 'idiots';
next();
});
app.get('/user', (req, res) => {
if (res.locals.groupName === 'idiots') {
res.end('I know you!');
}
});](https://image.slidesharecdn.com/node-191128205315/85/Node-js-security-7-320.jpg)
![const fs = require('fs'); const compose = (...funcs) => x => funcs.
reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab
table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma
=> (row.map((cell, i) => { const width = cellWidth[i]; return i ? c
Примешивание методов
app.get('/user/:id', (req, res, next) => {
req.auth = (login, password) => { /* auth */ };
next();
});
app.get('/user/:id', (req, res) => {
if (req.auth(req.params.id, '111')) {
res.end('I know you!');
}
});](https://image.slidesharecdn.com/node-191128205315/85/Node-js-security-8-320.jpg)
![const fs = require('fs'); const compose = (...funcs) => x => funcs.
reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab
table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma
=> (row.map((cell, i) => { const width = cellWidth[i]; return i ? c
Соединение с БД на обработчиках
app.get((req, res, next) => {
req.db = new Pool(config);
next();
});
app.get('/user/:id', (req, res) => {
req.db.query('SELECT * from USERS', (e, r) => {
});
});](https://image.slidesharecdn.com/node-191128205315/85/Node-js-security-9-320.jpg)
![const fs = require('fs'); const compose = (...funcs) => x => funcs.
reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab
table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma
=> (row.map((cell, i) => { const width = cellWidth[i]; return i ? c
Потеря соединений при ошибках
const db = new Pool(config);
app.get('/user/:id', (req, res) => {
req.db.query('SELECT * from USERS', (err, r) => {
if (err) throw err;
// Prepare data to reply client
});
});](https://image.slidesharecdn.com/node-191128205315/85/Node-js-security-10-320.jpg)
![const fs = require('fs'); const compose = (...funcs) => x => funcs.
reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab
table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma
=> (row.map((cell, i) => { const width = cellWidth[i]; return i ? c
Зависимости
● Возможно, встроенные модули умеют
● Пакеты с очень похожими именами
● Зараженные пакеты
● Перед использованием смотрим код
● Смотрим вложенные зависимости
● Проверяем по базам уязвимостей
● Проверяем сообщество и поддержку](https://image.slidesharecdn.com/node-191128205315/85/Node-js-security-11-320.jpg)
![const fs = require('fs'); const compose = (...funcs) => x => funcs.
reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab
table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma
=> (row.map((cell, i) => { const width = cellWidth[i]; return i ? c
SQLI (SQL Injection)
Инъекция SQL
Привет! Смотри, что про тебя пишут:
http://bank-web-site.com/accounts?
name='marcus'%20--%20
“SELECT * from Accounts where name=” + name](https://image.slidesharecdn.com/node-191128205315/85/Node-js-security-12-320.jpg)
![const fs = require('fs'); const compose = (...funcs) => x => funcs.
reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab
table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma
=> (row.map((cell, i) => { const width = cellWidth[i]; return i ? c
XSRF (Cross-Site Request Forgery)
Межсайтовая подделка запросов
Привет! Смотри, что про тебя пишут:
http://payment-system.com/api/transfer?
amount=1000&destination=card-number](https://image.slidesharecdn.com/node-191128205315/85/Node-js-security-13-320.jpg)
![const fs = require('fs'); const compose = (...funcs) => x => funcs.
reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab
table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma
=> (row.map((cell, i) => { const width = cellWidth[i]; return i ? c
XSS (Cross-Site Scripting)
Межсайтовый скриптинг
Привет! Смотри, что про тебя пишут:
http://control-panel.com/help.php?q=
%3Cscript%3Ealert('Hello');%3C/script%3E](https://image.slidesharecdn.com/node-191128205315/85/Node-js-security-14-320.jpg)
![const fs = require('fs'); const compose = (...funcs) => x => funcs.
reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab
table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma
=> (row.map((cell, i) => { const width = cellWidth[i]; return i ? c
CSP (Content Security Policy)
В браузеры встроен еще один
уровень защиты от XSS и других типов атак
https://developer.mozilla.org/en-US/docs/
Web/HTTP/CSP](https://image.slidesharecdn.com/node-191128205315/85/Node-js-security-15-320.jpg)
![const fs = require('fs'); const compose = (...funcs) => x => funcs.
reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab
table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma
=> (row.map((cell, i) => { const width = cellWidth[i]; return i ? c
На что еще обратить внимание
● httponly cookies
https://www.owasp.org/index.php/HttpOnly
● HTTP Headers:
● X-XSS-Protection
● X-Frame-Options
● X-Content-Type-Options
etc.](https://image.slidesharecdn.com/node-191128205315/85/Node-js-security-16-320.jpg)
![const fs = require('fs'); const compose = (...funcs) => x => funcs.
reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab
table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma
=> (row.map((cell, i) => { const width = cellWidth[i]; return i ? c
OWASP (Open Web App. Security Project)
Открытый проект обеспечения безопасности
веб-приложений
https://owasp.org/](https://image.slidesharecdn.com/node-191128205315/85/Node-js-security-17-320.jpg)
Node.js security
- 1. const fs = require('fs'); const compose = (...funcs) => x => funcs. reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma => (row.map((cell, i) => { const width = cellWidth[i]; return i ? c toString().padStart(width) : cell.padEnd(width); }).join(''))).join }; const proportion = (max, val) => Math.round(val * 100 / max); co calcProportion = table => { table.sort((row1, row2) => row2[DENSITY row1[DENSITY_COL]); const maxDensity = table[0][DENSITY_COL]; table forEach(row => { row.push(proportion(maxDensity, row[DENSITY_COL])) return table; }; const getDataset = file => { const lines = fs.read FileSync(file, 'utf8').toString().split('n'); lines.shift(); lines return lines.map(line => line.split(',')); }; const main = compose (getDataset, calcProportion, renderTable); const fs = require('fs' compose = (...funcs) => x => funcs.reduce((x, fn) => fn(x), x); con DENSITY_COL = 3; const renderTable = table => { const cellWidth = [ 8, 8, 18, 6]; return table.map(row => (row.map((cell, i) => { const = cellWidth[i]; return i ? cell.toString().padStart(width) : cell.p (width); }).join(''))).join('n'); }; const proportion = (max, val) Безопасность приложений Node.js Тимур Шемсединов github.com/HowProgrammingWorks github.com/tshemsedinov Chief Software Architect at Metarhia Lecturer at Kiev Polytechnic Institute
- 2. const fs = require('fs'); const compose = (...funcs) => x => funcs. reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma => (row.map((cell, i) => { const width = cellWidth[i]; return i ? c Аспекты безопасности для Node.js ● Конкурентная модель исполнения I/O ● Уязвимости path traversal повсюду ● SQL injection, XSRF, XSS и другие типичные ● Зависимости: загляните в node_modules ● Утечки ресурсов (приводящие к падению) ● Храним только хеши паролей с солью ● Управляем нагрузкой, иначе встречаем DoS
- 3. const fs = require('fs'); const compose = (...funcs) => x => funcs. reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma => (row.map((cell, i) => { const width = cellWidth[i]; return i ? c Инструменты безопасности для Node.js ● Линтер может кое-что найти github.com/nodesecurity/eslint-plugin-security ● Умеет искать npm audit и даже исправлять через npm audit fix ● Специальные инструменты: nsp, snyk ● Githib имеет встроенный Security Alert
- 4. const fs = require('fs'); const compose = (...funcs) => x => funcs. reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma => (row.map((cell, i) => { const width = cellWidth[i]; return i ? c Конкурентная модель ● В одном процессе и одном потоке выполняется одновременно много запросов ● Все данные в памяти у них общие ● Права у процесса общие ● Переменные окружения и конфиги общие ● Соединения с БД, зависимости и сеть общие ● Падает тоже процесс целиком
- 5. const fs = require('fs'); const compose = (...funcs) => x => funcs. reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma => (row.map((cell, i) => { const width = cellWidth[i]; return i ? c Глобальное состояние let groupName; app.use((req, res, next) => { groupName = 'idiots'; next(); }); app.get('/user', (req, res) => { if (res.groupName === 'idiots') { res.end('I know you!'); } });
- 6. const fs = require('fs'); const compose = (...funcs) => x => funcs. reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma => (row.map((cell, i) => { const width = cellWidth[i]; return i ? c Миксины к req и res app.use((req, res, next) => { res.groupName = 'idiots'; next(); }); app.get('/user', (req, res) => { if (res.groupName === 'idiots') { res.end('I know you!'); } });
- 7. const fs = require('fs'); const compose = (...funcs) => x => funcs. reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma => (row.map((cell, i) => { const width = cellWidth[i]; return i ? c Специальное место res.locals app.use((req, res, next) => { res.locals.groupName = 'idiots'; next(); }); app.get('/user', (req, res) => { if (res.locals.groupName === 'idiots') { res.end('I know you!'); } });
- 8. const fs = require('fs'); const compose = (...funcs) => x => funcs. reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma => (row.map((cell, i) => { const width = cellWidth[i]; return i ? c Примешивание методов app.get('/user/:id', (req, res, next) => { req.auth = (login, password) => { /* auth */ }; next(); }); app.get('/user/:id', (req, res) => { if (req.auth(req.params.id, '111')) { res.end('I know you!'); } });
- 9. const fs = require('fs'); const compose = (...funcs) => x => funcs. reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma => (row.map((cell, i) => { const width = cellWidth[i]; return i ? c Соединение с БД на обработчиках app.get((req, res, next) => { req.db = new Pool(config); next(); }); app.get('/user/:id', (req, res) => { req.db.query('SELECT * from USERS', (e, r) => { }); });
- 10. const fs = require('fs'); const compose = (...funcs) => x => funcs. reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma => (row.map((cell, i) => { const width = cellWidth[i]; return i ? c Потеря соединений при ошибках const db = new Pool(config); app.get('/user/:id', (req, res) => { req.db.query('SELECT * from USERS', (err, r) => { if (err) throw err; // Prepare data to reply client }); });
- 11. const fs = require('fs'); const compose = (...funcs) => x => funcs. reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma => (row.map((cell, i) => { const width = cellWidth[i]; return i ? c Зависимости ● Возможно, встроенные модули умеют ● Пакеты с очень похожими именами ● Зараженные пакеты ● Перед использованием смотрим код ● Смотрим вложенные зависимости ● Проверяем по базам уязвимостей ● Проверяем сообщество и поддержку
- 12. const fs = require('fs'); const compose = (...funcs) => x => funcs. reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma => (row.map((cell, i) => { const width = cellWidth[i]; return i ? c SQLI (SQL Injection) Инъекция SQL Привет! Смотри, что про тебя пишут: http://bank-web-site.com/accounts? name='marcus'%20--%20 “SELECT * from Accounts where name=” + name
- 13. const fs = require('fs'); const compose = (...funcs) => x => funcs. reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma => (row.map((cell, i) => { const width = cellWidth[i]; return i ? c XSRF (Cross-Site Request Forgery) Межсайтовая подделка запросов Привет! Смотри, что про тебя пишут: http://payment-system.com/api/transfer? amount=1000&destination=card-number
- 14. const fs = require('fs'); const compose = (...funcs) => x => funcs. reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma => (row.map((cell, i) => { const width = cellWidth[i]; return i ? c XSS (Cross-Site Scripting) Межсайтовый скриптинг Привет! Смотри, что про тебя пишут: http://control-panel.com/help.php?q= %3Cscript%3Ealert('Hello');%3C/script%3E
- 15. const fs = require('fs'); const compose = (...funcs) => x => funcs. reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma => (row.map((cell, i) => { const width = cellWidth[i]; return i ? c CSP (Content Security Policy) В браузеры встроен еще один уровень защиты от XSS и других типов атак https://developer.mozilla.org/en-US/docs/ Web/HTTP/CSP
- 16. const fs = require('fs'); const compose = (...funcs) => x => funcs. reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma => (row.map((cell, i) => { const width = cellWidth[i]; return i ? c На что еще обратить внимание ● httponly cookies https://www.owasp.org/index.php/HttpOnly ● HTTP Headers: ● X-XSS-Protection ● X-Frame-Options ● X-Content-Type-Options etc.
- 17. const fs = require('fs'); const compose = (...funcs) => x => funcs. reduce((x, fn) => fn(x), x); const DENSITY_COL = 3; const renderTab table => { const cellWidth = [18, 10, 8, 8, 18, 6]; return table.ma => (row.map((cell, i) => { const width = cellWidth[i]; return i ? c OWASP (Open Web App. Security Project) Открытый проект обеспечения безопасности веб-приложений https://owasp.org/