d48cda4081
CI / Test (ubuntu-latest, Node 18.x, bun) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 18.x, npm) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 18.x, pnpm) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 18.x, yarn) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 20.x, bun) (push) Failing after 17m13s
CI / Test (ubuntu-latest, Node 20.x, npm) (push) Failing after 18m42s
CI / Test (ubuntu-latest, Node 20.x, pnpm) (push) Failing after 15m0s
CI / Test (ubuntu-latest, Node 20.x, yarn) (push) Failing after 49m44s
CI / Test (ubuntu-latest, Node 22.x, bun) (push) Failing after 51m55s
CI / Test (ubuntu-latest, Node 22.x, pnpm) (push) Failing after 21m57s
CI / Test (ubuntu-latest, Node 22.x, npm) (push) Failing after 37m39s
CI / Test (ubuntu-latest, Node 22.x, yarn) (push) Failing after 34m7s
CI / Validate Components (push) Failing after 37m15s
CI / Python Tests (push) Failing after 10m1s
CI / Security Scan (push) Failing after 10m1s
CI / Lint (push) Failing after 17m12s
CI / Coverage (push) Failing after 20m19s
CI / Test (macos-latest, Node 18.x, bun) (push) Has been cancelled
CI / Test (macos-latest, Node 18.x, npm) (push) Has been cancelled
CI / Test (macos-latest, Node 18.x, pnpm) (push) Has been cancelled
CI / Test (macos-latest, Node 18.x, yarn) (push) Has been cancelled
CI / Test (windows-latest, Node 18.x, npm) (push) Has been cancelled
CI / Test (windows-latest, Node 18.x, pnpm) (push) Has been cancelled
CI / Test (windows-latest, Node 18.x, yarn) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, bun) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, npm) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, pnpm) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, yarn) (push) Has been cancelled
CI / Test (windows-latest, Node 20.x, npm) (push) Has been cancelled
CI / Test (windows-latest, Node 20.x, pnpm) (push) Has been cancelled
CI / Test (windows-latest, Node 20.x, yarn) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, bun) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, npm) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, pnpm) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, yarn) (push) Has been cancelled
CI / Test (windows-latest, Node 22.x, npm) (push) Has been cancelled
CI / Test (windows-latest, Node 22.x, pnpm) (push) Has been cancelled
CI / Test (windows-latest, Node 22.x, yarn) (push) Has been cancelled
77 lines
2.6 KiB
Markdown
77 lines
2.6 KiB
Markdown
---
|
|
paths:
|
|
- "**/*.fs"
|
|
- "**/*.fsx"
|
|
- "**/*.fsproj"
|
|
- "**/appsettings*.json"
|
|
---
|
|
# F# セキュリティ
|
|
|
|
> このファイルは [common/security.md](../common/security.md) を F# 固有のコンテンツで拡張します。
|
|
|
|
## シークレット管理
|
|
|
|
- ソースコードに API キー、トークン、接続文字列をハードコードしない
|
|
- ローカル開発には環境変数とユーザーシークレットを使用し、本番環境ではシークレットマネージャーを使用する
|
|
- `appsettings.*.json` に実際の認証情報を含めない
|
|
|
|
```fsharp
|
|
// BAD
|
|
let apiKey = "sk-live-123"
|
|
|
|
// GOOD
|
|
let apiKey =
|
|
configuration["OpenAI:ApiKey"]
|
|
|> Option.ofObj
|
|
|> Option.defaultWith (fun () -> failwith "OpenAI:ApiKey is not configured.")
|
|
```
|
|
|
|
## SQL インジェクション対策
|
|
|
|
- ADO.NET、Dapper、または EF Core でパラメータ化クエリを常に使用する
|
|
- ユーザー入力を SQL 文字列に連結しない
|
|
- 動的クエリ合成を使用する前に、並び替えフィールドとフィルター演算子を検証する
|
|
|
|
```fsharp
|
|
let findByCustomer (connection: IDbConnection) customerId =
|
|
task {
|
|
let sql = "SELECT * FROM Orders WHERE CustomerId = @customerId"
|
|
return! connection.QueryAsync<Order>(sql, {| customerId = customerId |})
|
|
}
|
|
```
|
|
|
|
## 入力バリデーション
|
|
|
|
- 型を使用してアプリケーション境界で入力を検証する
|
|
- 検証済みの値には単一ケース判別共用体を使用する
|
|
- 無効な入力がドメインロジックに入る前に拒否する
|
|
|
|
```fsharp
|
|
type ValidatedEmail = private ValidatedEmail of string
|
|
|
|
module ValidatedEmail =
|
|
let create (input: string) =
|
|
if System.Text.RegularExpressions.Regex.IsMatch(input, @"^[^@]+@[^@]+\.[^@]+$") then
|
|
Ok(ValidatedEmail input)
|
|
else
|
|
Error "Invalid email address"
|
|
|
|
let value (ValidatedEmail v) = v
|
|
```
|
|
|
|
## 認証と認可
|
|
|
|
- カスタムトークン解析ではなくフレームワークの認証ハンドラーを優先する
|
|
- エンドポイントまたはハンドラー境界で認可ポリシーを強制する
|
|
- 生のトークン、パスワード、PII をログに記録しない
|
|
|
|
## エラーハンドリング
|
|
|
|
- クライアントに返す安全なメッセージを返す
|
|
- 詳細な例外はサーバーサイドで構造化コンテキストと共にログに記録する
|
|
- API レスポンスにスタックトレース、SQL テキスト、ファイルシステムパスを公開しない
|
|
|
|
## 参考資料
|
|
|
|
より広範なアプリケーションセキュリティレビューチェックリストはスキル `security-review` を参照。
|