Upgrade to Pro — share decks privately, control downloads, hide ads and more …

その正規表現、異議あり! 〜 ReDoSについて

Avatar for Shu OGAWARA Shu OGAWARA
April 24, 2019
Technology
2
5.9k

その正規表現、異議あり! 〜 ReDoSについて

2019/04/24の銀座Rails#8での発表資料です。
スライド中で紹介している拙作gemはこちら https://github.com/expajp/reredos

Avatar for Shu OGAWARA

Shu OGAWARA

April 24, 2019
Tweet

More Decks by Shu OGAWARA

See All by Shu OGAWARA
入門 FormObject / An Introduction to FormObject #kaigionrails
Avatar for Shu OGAWARA expajp
2
2k
あなたの「仮説検証」、ゆがんでいませんか? / Isn't Your "Hypothesis Verification" Distorted? #emoasis
Avatar for Shu OGAWARA expajp
2
390
Rubyはなぜ「たのしい」のか? / Why is Ruby a programmers' best friend? #tqrk15
Avatar for Shu OGAWARA expajp
5
2k
エンジニアリングマネージャーはどう学んでいくのか #devsumi / How Do Engineering Managers Continue to Learn and Grow?
Avatar for Shu OGAWARA expajp
8
5.4k
RubyKaigi参加歴をふりかえる / Looking Back on My RubyKaigi Participation History #kaigieffectLT
Avatar for Shu OGAWARA expajp
3
520
わたしのメタ学習 / My Own Meta Learning #shinjukurb
Avatar for Shu OGAWARA expajp
0
470
ActiveSupport::Concernで開くメタプログラミングの扉 #heiseirubykaigi / The door of meta-programing is opened by ActiveSupport::Concern
Avatar for Shu OGAWARA expajp
1
2.3k
実践Railsアプリケーション設計 #meetup_rails / Practical Rails Application Design
Avatar for Shu OGAWARA expajp
4
40k
【2019/07/06 TamaRuby会議01】brainf*ck処理系で理解するパターンマッチングをつかった疎結合な実装
Avatar for Shu OGAWARA expajp
2
2.7k

Other Decks in Technology

See All in Technology
空間を設計する力を考える / 20251004 Naoki Takahashi
Avatar for SHIFT EVOLVE shift_evolve
PRO
3
330
Geospatialの世界最前線を探る [2025年版]
Avatar for Yasunori Kirimoto dayjournal
3
490
バイブコーディングと継続的デプロイメント
Avatar for nwiizo nwiizo
2
410
How to achieve interoperable digital identity across Asian countries
Avatar for Naohiro Fujie fujie
0
110
GopherCon Tour 概略
Avatar for Takuto Nagami logica0419
2
180
神回のメカニズムと再現方法/Mechanisms and Playbook for Kamikai scrumat2025
Avatar for moriyuya moriyuya
4
510
Trust as Infrastructure
Avatar for Bryan Cantrill bcantrill
0
320
多様な事業ドメインのクリエイターへ 価値を届けるための営みについて
Avatar for massyuu massyuu
0
100
ACA でMAGI システムを社内で展開しようとした話
Avatar for Yuji Masaoka | まっぴぃ mappie_kochi
0
240
stupid jj tricks
Avatar for André Arko indirect
0
7.9k
研究開発部メンバーの働き⽅ / Sansan R&D Profile
Avatar for Sansan, Inc. sansan33
PRO
3
20k
GC25 Recap+: Advancing Go Garbage Collection with Green Tea
Avatar for Takuto Nagami logica0419
1
400

Featured

See All Featured
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
45
2.5k
Practical Tips for Bootstrapping Information Extraction Pipelines
Avatar for Matthew Honnibal honnibal
PRO
23
1.5k
Bootstrapping a Software Product
Avatar for Garrett Dimon garrettdimon
PRO
307
110k
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
91
590k
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
73
11k
Side Projects
Avatar for Sacha Greif sachag
455
43k
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
139
7.1k
4 Signs Your Business is Dying
Avatar for Josh Pigford shpigford
185
22k
Automating Front-end Workflow
Avatar for Addy Osmani addyosmani
1371
200k
Site-Speed That Sticks
Avatar for Harry Roberts csswizardry
11
880
What’s in a name? Adding method to the madness
Avatar for Product Marketing Alliance productmarketing
PRO
23
3.7k
Build your cross-platform service in a week with App Engine
Avatar for Jose L jlugia
232
18k

Transcript

  1. ͦͷਖ਼نදݱɺҟٞ͋Γʂ ʙ ReDoSʹ͍ͭͯ Shu OGAWARA(@expajp) 2019/04/24 ۜ࠲Rails #8

  2. ਖ਼نදݱ࢖ͬͯ·͔͢ʁ

  3. ϝΞυͷόϦσʔγϣϯʹ ਖ਼نදݱΛ࢖͍ͬͯΔਓ

  4. ͦΕ͸΋͔ͯ͜͠͠ΜͳͷͰ͸ʁ 2019/04/24 4

  5. ໰୊ͳͦ͞͏ 2019/04/24 5

  6. ग़యɿχίχɾίϞϯζ http://commons.nicovideo.jp/material/nc38409

  7. ͜ͷਖ਼نදݱʹ͸ɺ ੬ऑੑ͕͋Δ

  8. ࣮ࡍʹ͝ཡ͍ͩ͘͞

  9. ςετεΫϦϓτ 2019/04/24 9 ग़యɿਖ਼نදݱͰͷϝʔϧΞυϨενΣοΫ͸ݟ௚͢΂͖ – ReDoS – yohgaki's blog https://blog.ohgaki.net/redos-must-review-mail-address-validation

  10. ࣮ߦ݁Ռ 2019/04/24 10

  11. ݪҼ • ਖ਼نදݱΤϯδϯʹѱຐͷূ໌Λ΍Β͍ͤͯΔ • ʮ೚ҙ௕ͷจࣈྻʯදݱ͕ଓ͘ͱ ੾Ε໨͕Θ͔Βͳ͍ͷͰɺશύλʔϯΛௐ΂Δ – શύλʔϯΛௐ΂ͳ͍ͱ Ϛον͠ͳ͍͜ͱ͸֬ఆͰ͖ͳ͍ –

    ૊Έ߹Θ͕ͤരൃ͍ͯ͠Δ 2019/04/24 11

  12. ࣮ࡍʹ૊Έ߹Θ͕ͤ രൃ͍ͯ͠Δ༷ࢠΛ ͝ཡ͍ͩ͘͞

  13. ؆୯ͷͨΊ • ݟͤΔͷ͸͜ͷ෦෼ͷνΣοΫͷΈ 2019/04/24 13

  14. ૊Έ߹Θͤരൃ • host. ·ͰϚονͯ͠ɺ࣍ 2019/04/24 14

  15. ૊Έ߹Θͤരൃ • . (υοτ) ·ͰϚον͕ͨ͠ 2019/04/24 15

  16. ૊Έ߹Θͤരൃ • ͦͷޙΖ͕ҧ͏ͷͰ໭Δ 2019/04/24 16

  17. ૊Έ߹Θͤരൃ • ΍ͬͺΓҧ͏ͷͰ1ͭ໭ΔɺΛ܁Γฦ͠ 2019/04/24 17

  18. ૊Έ߹Θͤരൃ • ͜͜·Ͱ໭Δ 2019/04/24 18

  19. ૊Έ߹Θͤരൃ • ࠷ޙ·Ͱ໭ͬͯ΋ɺ΍ͬͺΓϚον͠ͳ͍ 2019/04/24 19

  20. ૊Έ߹Θͤരൃ • * Λ0ճͱղऍͯ࣍͠Λௐ΂Δ 2019/04/24 20

  21. ૊Έ߹Θͤരൃ • ΍ͬͺΓϚον͠ͳ͍ͷͰ1ͭͣͭޙΖʹ 2019/04/24 21

  22. ૊Έ߹Θͤരൃ • 1ݸͣͭ໭ͬͯ΍ͬͱϚον͠ͳ͍ͷ͕֬ఆ 2019/04/24 22

  23. ͜Ε͕ԿΛҙຯ͢Δ͔ʁ

  24. ԿΛҙຯ͢Δ͔ • ௚લ·ͰҰகͯ͠ɺ ࠷ޙͷ1จࣈ͚ͩϚον͠ͳ͍จࣈྻΛ ϝʔϧΞυϨεཝʹ์ΓࠐΉ͚ͩͰ DoS߈ܸ͕Ͱ͖Δ 2019/04/24 24

  25. DoS߈ܸ • Ϧιʔεʹҙਤతʹա৒ͳෛՙΛ͔͚ͨΓ ੬ऑੑΛ͍ͭͨΓ͢ΔࣄͰ αʔϏεΛ๦֐͢Δ߈ܸख๏ͷ͜ͱ – F5ΞλοΫͱ͔ • ਖ਼نදݱΛ࢖ͬͨDoS͸ReDoSͱݺ͹ΕΔ 2019/04/24

    25

  26. ͞Βʹ൵͍͜͠ͱʹɺ ϝΞυͷ௕͞Ͱ஄͚ͳ͍

  27. ࣮ߦ݁Ռ 2019/04/24 27

  28. ϝʔϧΞυϨεͷఆٛ • RFC1035, 5321ΑΓ – ϝʔϧΞυϨεશମ͸256จࣈҎ಺ – Ϣʔβ໊ʢ@ͷલʣ͸64จࣈҎ಺ – υϝΠϯ͸255จࣈҎ಺

    – υϝΠϯͷϥϕϧ͸63จࣈҎ಺ • test.example.com <- ྫ͑͹͜͜ – ଞɺ࢖͑Δจࣈ΋ܾ·͍ͬͯΔ 2019/04/24 28

  29. Ͳ͏͢Ε͹Α͍ͷ͔ʁ

  30. จࣈྻΛ۠੾ͬͯ୹͘͠ γϯϓϧͳਖ਼نදݱͰ൑ఆ

  31. ͱ͸͍͑ɺ ͍͍࣮ͪͪ૷͢Δͷ͸໘౗

  32. ͱ͍͏Θ͚Ͱ (FNΛ࡞Γ·ͨ͠

  33. reredos 2019/04/24 33

  34. reredos • ReDoSʹڧ͍ϝΞυͷόϦσʔγϣϯΛߦ͍ɺ true/false Ͱฦ͢γϯϓϧͳgem • ࠓޙͷ༧ఆ – ଘࡏ͠ͳ͍TLDΛ஄͘ –

    URLʹରԠ͢Δ • PR͓଴ͪͯ͠·͢ 2019/04/24 34

  35. ·ͱΊ • ਖ਼نදݱͰDoS߈ܸΛ͔͚Δख๏͕͋Δ – ReDoSͱ͍͏ • ෳࡶͳਖ਼نදݱ͸ආ͚Δ΂͖ – ࢓༷ΛͪΌΜͱಡΜͰɺ୹͍୯ҐͰνΣοΫΛ͢ Δ͜ͱΛ৺͕͚Α͏

    • ϝΞυͰόϦσʔγϣϯ͔͚ΔgemΛ࡞ͬͨ 2019/04/24 35

  36. ฏ੒͕ऴΘΔલʹରԠ͠Α͏

  37. ࣗݾ঺հ • Shu OGAWARA (@expajp ) – ϦϯΧʔζגࣜձࣾ – Ruby/Railsྺ2೥ऑ

    – ग़਎͸ௗऔɺେֶ͸ਆށ – झຯ͸ΫϥγοΫܥͷ߹এ 2019/04/24 37