atmosphere 2014: scaling and securing node.js apps - maciej lasyk
DESCRIPTION
After few years of node.js in operation we know it's very fast. We all heard stories about backend services running with the help of node.js and V8 core. But what we have learned about the security of such applications? What are the major threats here? I'll explain how to create node.js apps in a secure and reliable way. Also - I'll show how those could be scaled easily with (or without) help of Linux containers (Docker based) or jail - systems like Selinux Sandbox or libvirt sandbox. Maciej Lasyk - I've been working in IT Operations for the last 14 years. I've seen how infrastructures raised and failed, how great minds worked on scalability and kept the high pace of their platforms. I've been scaling and securing webapps since many years; within Ganymede company, now with Lumesse and Fedora Project. I'm Open Source contributor, enthusiast and evangelist. I also support security projects like OWASP. You can catch me on Twitter @docent_net and also see my work in github @docent-net and my personal blog.TRANSCRIPT
![Page 1: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/1.jpg)
Maciej Lasyk
AtmosphereConf 2014
Warsaw, 2014-05-19
scaling & securing node.js apps
![Page 2: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/2.jpg)
$ whoami
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- not only sysadmin ;)
- 14+ years of exp software dev / sysop
- ops lead
- contributing to Fedora Project (and couple more)
![Page 3: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/3.jpg)
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
![Page 4: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/4.jpg)
So what do you think about JS?
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
![Page 5: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/5.jpg)
So what do you think about JS?
- JS is for children!
- JS is slow!
- JS is not scalable!
- JS is insecure!
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
![Page 6: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/6.jpg)
node.js: history
- 2008: Google V8 release
- 2009: Ryan Dahl & node.js
- 2011: node.js release
- later on – Joyent till today
- and ^liftsecurity / nodesecurity.io
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
![Page 7: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/7.jpg)
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
![Page 8: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/8.jpg)
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
(http://www.phloxblog.in)
![Page 9: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/9.jpg)
node.js: developing ur code
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
raw node.js coding srsly?
(core modules only)
![Page 10: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/10.jpg)
node.js: developing ur code
maybe some frameworks?
- webserver: express
- client-server sync: backbone.js
- push: socket.io
- templates: swig
- i18n: babelfish
- client – side: jquery
- or...
- kraken.js does the all (almost)
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
![Page 11: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/11.jpg)
node.js: developing ur code
Biggest win here?
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
![Page 12: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/12.jpg)
node.js: developing ur code
Biggest win here?
One Language to Rule them all!
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
![Page 13: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/13.jpg)
security: JS issues
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
eval() like fncs takes string argument and
evalute those as source code
![Page 14: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/14.jpg)
security: JS issues
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
eval() like fncs takes string argument and
evalute those as source code
srsly – who does that?
![Page 15: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/15.jpg)
security: JS issues
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
not only evals:
setInterval(code,2)
setTimeout(code,2)
str = new Function(code)
Content-Security-Policy knows about thosebut we're talking about server side...
![Page 16: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/16.jpg)
security: JS issues
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
Global nameSpace Pollution
- node.js is single threaded
- all variable values are common
- one could thrtically change bhv of others reqs
- watch out for globals then!
![Page 17: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/17.jpg)
security: JS issues
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
var auth = false;
app.get('/auth', function(req, res) { if(legit) { auth = true; res.send("success");}); app.get('/payments-db', function(req, res) {
if (auth) res.send("legit to see all payments data");
else res.send("not logged in");}) app.listen(8080);
![Page 18: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/18.jpg)
security: JS issues
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
So now imagine..
global namespace pollution + evals & co
![Page 19: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/19.jpg)
security: JS issues
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
So now imagine..
global namespace pollution + evals & co
![Page 20: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/20.jpg)
security: JS issues
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
object properties:
- writable: RO/RW
- enumerable: no loops enumeration
- configurable: deletion prohibited
- all default set to True so watch out
![Page 21: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/21.jpg)
security: JS issues
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
var obj = {}; obj.prop = "LOL";
// OR:
Object.defineProperty(obj, "prop", {
writable: true,
enumerable: true,
configurable: true,
value: "LOL"
})
![Page 22: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/22.jpg)
security: JS issues - prevention
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
strict mode:
- let's throw all errors!
- declare variables!
- global namespaces help
![Page 23: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/23.jpg)
security: JS issues - prevention
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
"use strict";
function do_smt() {do_smt.caller; // no way :)do_smt.arguments; // no way :)
}
![Page 24: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/24.jpg)
security: JS issues - prevention
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
"use strict";eval("var smt = 123");console.log(smt); // sorry – ReferenceError
![Page 25: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/25.jpg)
security: JS issues - prevention
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
"use strict";eval("var smt = 123");console.log(smt); // sorry – ReferenceError
But watch out:
"use strict";var smt = 0;eval("smt = 123");console.log(smt); // outputs “123” properly
![Page 26: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/26.jpg)
security: JS issues - prevention
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
strict mode:
- evals & co are not that insecure now
- no access to caller and args props
- enable globally or for some scope
- what about strict mode in 3rd party mods?
![Page 27: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/27.jpg)
security: JS issues - prevention
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
Static code analysis
- If not doing it already – just do
- Commit hooks in (D)VCSes (or CI/CD)
- JSHint (node-jshint) / JSLint (nodelint)
- Create policy for static code analysis
- Update & check this policy regularly
![Page 28: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/28.jpg)
node.js – exploits anyone?
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- http://seclists.org/bugtraq – ? hits
- http://osvdb.org – ? hits
- http://1337day.com, http://www.exploitdb.com – ? hit
- http://nodesecurity.io/advisories – ? hits
![Page 29: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/29.jpg)
node.js – exploits anyone?
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- http://seclists.org/bugtraq – 0 hits
- http://osvdb.org – 2 hits
- http://1337day.com, http://www.exploitdb.com – 1 hit
- http://nodesecurity.io/advisories – 4 hits
![Page 30: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/30.jpg)
node.js – exploits anyone?
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- http://seclists.org/bugtraq – 0 hits
- http://osvdb.org – 2 hits
- http://1337day.com, http://www.exploitdb.com – 1 hit
- http://nodesecurity.io/advisories – 4 hits
Such security big?
![Page 31: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/31.jpg)
node.js – exploits anyone?
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- http://seclists.org/bugtraq – 0 hits
- http://osvdb.org – 2 hits
- http://1337day.com, http://www.exploitdb.com – 1 hit
- http://nodesecurity.io/advisories – 4 hits
Such security big?
not exactly
![Page 32: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/32.jpg)
node.js – what's wrong than?
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
node.js security is a blank page
http://www.slideshare.net/ASF-WS/asfws-2012-nodejs-security-old-vulnerabilities-in-new-dresses-par-sven-vetsch
![Page 33: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/33.jpg)
node.js – exceptions / callbacks
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
callbacks Error object – remember to handle those
var fs = require("fs");
fs.readFile("/some/file", "utf8", function (err, contents) {// err will be null if no error occured
// ... otherwise there will be info about error});
forget about handling and die debugging
![Page 34: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/34.jpg)
node.js – eventemitter
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
EventEmitter: emitting events 4 async actions
var http = require("http");
http.get("http://nodejs.org/", function (res) {res.on("data", function (chunk) {
do_something_with_chunk;});res.on("error", function (err) {
// listener handling error});
});
Attach listeners to errors events orwelcome unhandled exception!
![Page 35: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/35.jpg)
node.js – uncaught exceptions
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- by default node.js will print stack trace and terminate thread
- EventEmitter / process / uncaughtException
// it looks like this by default:
process.on("uncaughtException", function (err) {console.error(err);console.trace();process.exit();
});
![Page 36: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/36.jpg)
node.js – uncaught exceptions
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- by default node.js will print stack trace and terminate thread
- EventEmitter / process / uncaughtException
// it looks like this by default:
process.on("uncaughtException", function (err) {console.error(err);console.trace();//process.exit();
});
So do you really want to comment outthe 'process.exit()' line?
![Page 37: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/37.jpg)
node.js – domains
- error handling mechanism
- group I/O operations
- when err event -> domain is notified not process
- context clarity
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
![Page 38: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/38.jpg)
node.js – domains
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
Using Express take look at that:
https://github.com/brianc/node-domain-middleware
Assigning each Express request to a separate domain?
![Page 39: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/39.jpg)
node.js – npm modules
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- npm install (-g)
- who creates modules?
- who verifies those?
- how to update?
- semantic versioning in package.json
- "connect":"~1.8.7" -> 1.8.7 - 1.9
![Page 40: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/40.jpg)
node.js – npm modules
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
--ignore-scripts
stop preinstall/prepublish scripts
- mods auditing: https://nodesecurity.io/
![Page 41: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/41.jpg)
node.js – npm modules
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
The scale of npm modules
![Page 42: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/42.jpg)
node.js – npm modules
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
Comparison to other langs (mods/day):
![Page 43: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/43.jpg)
node.js – npm modules
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
Remember:
- use strict?
- static analysis?
- does include some test suite?
- what is the dependency tree?
- private repository: Kappa
- retire.js – check mods with cli
![Page 44: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/44.jpg)
node.js – express
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
Express – web dev framework
Built on top of connect
![Page 45: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/45.jpg)
node.js – express – basic auth
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
var express = require('express'),app = express();app.use(express.basicAuth("user", "pwd"));app.get("/", function (req, res) {
res.send('Hello World');});app.listen(8080);
Plain text and simple auth issues
![Page 46: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/46.jpg)
node.js – express – SSL auth
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
var express = require('express'), routes = require('./routes'), fs = require('fs')var opts = {
key: fs.readFileSync('ssl/server/keys/server.key'),cert: fs.readFileSync('ssl/server/certificates/server.crt'),ca: fs.readFileSync('ssl/ca/ca.crt'),crl: fs.readFileSync('ssl/ca/ca.crl'),requestCert: true,rejectUnauthorized: truepassphrase: "pwd" // <<<< really here?
};
var app = module.exports = express.createServer(opts);
app.configure(function(){app.set('views', __dirname + '/views');...
});
app.get('/', routes.index);app.listen(8443);
![Page 47: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/47.jpg)
node.js – express – passport.js
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- provides API for authentication and authorization
- authentication:
- LocalStrategy
- OpenIDStrategy
- OAuth / FacebookStrategy
![Page 48: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/48.jpg)
node.js – express – authorization
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
var users = [{ id: 1, name: "user1", role: "admin" },{ id: 2, name: "user2", role: "common" },
];function loadUser(req, res, next) {
req.userData = users[req.params.user];return next();
}function requireRole(role) {
return function (req, res, next) {if (req.user.role === role) {return next();
} else {return next(new Error("Unauthorized"));
}};}
![Page 49: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/49.jpg)
node.js – express – authorization
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
app.get("/users/:user", loadUser, function (req, res) {res.send(req.user.name);
});
app.del("/users/:user", requireRole("admin"), loadUser, function (req,res) {
res.send("User deleted");});
![Page 50: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/50.jpg)
node.js – express – logging
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
OWASP will tell you what should be logged :)
https://www.owasp.org/index.php/Logging_Cheat_Sheet
- authentication & authorisation
- session management
- errors & weirdo events
- events (startups, shutdowns, slowdowns etc)
- high risk functionalities (payments, privileges, admins)
![Page 51: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/51.jpg)
node.js – express – logging
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
Try Winston module (Github -> flatiron/winston)
- logging to console
- logging to file
- sending logs over HTTP
- CouchDB, Redis, MongoDB, Riak etc
![Page 52: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/52.jpg)
node.js – express – sessions
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
var express = require('express');var app = express();var RedisStore = require('connect-redis')(express);
app.use(express.cookieParser());app.use(express.session({ store: new RedisStore({ host: '127.0.0.2', port: 6379, db: 3, pass: 'pwd' }), secret: 'this-is-very-secret'}));
app.get('/somewhere', function(req, res) { res.send('In the middle of nowhere');});
app.listen(process.env.PORT || 8080);
![Page 53: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/53.jpg)
node.js – common threats
- CSRF
- input validation
- XSS
- DoS
- ReDoS
- HPP
- request size
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
![Page 54: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/54.jpg)
node.js – monitoring anyone?
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- is app functional? :)
- is app overloaded?
- app should provide monitoring interface
- how many errors caught?
- are forks alive and OK?
![Page 55: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/55.jpg)
node.js – sandboxing
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
![Page 56: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/56.jpg)
node.js – sandboxing
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
Such security..Such security..
Very fortress!!1Very fortress!!1
WOW :)WOW :)
![Page 57: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/57.jpg)
node.js – sandboxing
SElinux sandbox:
- legit r/w from stdin/out + only define FDs
- no network access
- no access to any other processes files
- cgroups friendly :)
- lightweight!
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
![Page 58: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/58.jpg)
node.js – sandboxing
libvirtd sandbox:
- use LXC, Qemu or KVM
- provides high level API
- don't need to know virt internals
- integrates with systemd inside the sandbox
- virt-sandbox -c lxc:/// /bin/sh
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
![Page 59: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/59.jpg)
node.js – sandboxing
Docker:
- very easy learning curve – just run & go
- it just works
- big community
- growing rapidly
- almost stable ;)
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
![Page 60: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/60.jpg)
node.js – one more thing
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
Just...
![Page 61: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/61.jpg)
node.js – one more thing
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
Just...
Don't run as `root`!!!
![Page 62: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/62.jpg)
node.js – tracing execution
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- SmartOS / Joyent: debugging
- Bunyan / Dtrace
- strace of course...
![Page 63: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/63.jpg)
node.js – testing
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- maybe some interface for white-box pentests?
- unit-testing 4 the sake! (Mocha, supertest, should.js)
- OWASP Zed Attack Proxy
![Page 64: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/64.jpg)
scaling node.js – cluster module
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
http://aosabook.org
![Page 65: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/65.jpg)
scaling node.js – cluster module
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
http://aosabook.org
![Page 66: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/66.jpg)
scaling node.js – cluster module
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
http://aosabook.org
- threads-a-gogo module?
![Page 67: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/67.jpg)
scaling node.js – containers
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
![Page 68: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/68.jpg)
scaling node.js – resources
Just use cgroups
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
![Page 69: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/69.jpg)
node.js performance
- c10k problem!
- paypal – release the Kraken & stories
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
![Page 70: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/70.jpg)
So what do you think about JS?
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js securityMaciej Lasyk, scaling&securing node.js appsMaciej Lasyk, scaling&securing node.js apps, #AtmosphereConf 2014
- JS is for children? wrong, children aren't async ;)
- JS is slow? wrong – V8!
- JS is not scalable? wrong – we'll JS the world!
- JS is insecure? wrong – people commit mistakes!
![Page 71: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/71.jpg)
Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js security
Infosec & meet.js meetups @krakowmeetup.com
![Page 72: Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554dd3abb4c905d10e8b49fe/html5/thumbnails/72.jpg)
Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js security
Docker workshops with node.js!#dockerkrk #nodekrk