Wata ƙungiyar masu bincike daga Jami'ar Turku (Finland) ta buga sakamakon nazarin fakiti a cikin ma'ajiyar PyPI don amfani da gine-gine masu haɗari masu haɗari waɗanda za su iya haifar da lahani. A yayin nazarin fakiti dubu 197, an gano matsalolin tsaro dubu 749. 46% na fakiti suna da aƙalla irin wannan matsala. Daga cikin mafi yawan matsalolin da aka fi sani akwai gazawar da ke da alaƙa da keɓancewa da amfani da fasalulluka waɗanda ke ba da damar sauya lambar.
Daga cikin matsalolin dubu 749 da aka gano, 442 dubu (41%) an lakafta su a matsayin kanana, 227 dubu 30 (80%) a matsayin matsakaitan matsaloli da kuma dubu 11 (2589%) masu hadari. Wasu fakiti sun fice daga taron kuma sun ƙunshi dubban matsaloli: alal misali, kunshin PyGGI ya gano matsalolin 2356, galibi masu alaƙa da amfani da ginin “gwada-ban da wucewa”, kuma kunshin appengine-sdk ya sami matsaloli XNUMX. Matsaloli masu yawa kuma suna nan a cikin fakitin genie.libs.ops, pbcore da genie.libs.parser.
Ya kamata a lura cewa an samo sakamakon ne bisa la'akari da bincike na atomatik, wanda baya la'akari da yanayin aikace-aikacen wasu sifofi. Mai haɓaka kayan aikin fashi, wanda aka yi amfani da shi don bincika lambar, ya bayyana ra'ayin cewa saboda yawan adadin abubuwan da ba za a iya gani ba, sakamakon binciken ba za a iya la'akari da lahani kai tsaye ba tare da ƙarin bitar kowane batu ba.
Misali, mai tantancewa yana ɗaukar amfani da na'urorin samar da lambar bazuwar da ba a dogara da su ba da hashing algorithms, kamar MD5, a matsayin matsalar tsaro, yayin da a cikin lambar za a iya amfani da irin waɗannan algorithms don dalilai waɗanda ba su shafi tsaro ba. Har ila yau, mai nazarin yana la'akari da duk wani aiki na bayanan waje a cikin ayyuka marasa aminci kamar pickle, yaml.load, subprocess da eval matsala, amma wannan amfani ba lallai ba ne ya ƙunshi rauni kuma a gaskiya ma ana iya aiwatar da amfani da waɗannan ayyukan ba tare da barazanar tsaro ba. .
Daga cikin gwaje-gwajen da aka yi amfani da su a cikin binciken:
- Yin amfani da yuwuwar ayyuka marasa aminci exec, mktemp, eval, mark_safe, da sauransu.
- Saitin rashin tsaro na haƙƙin samun dama ga fayiloli.
- Haɗa soket na cibiyar sadarwa zuwa duk mu'amalar cibiyar sadarwa.
- Amfani da kalmomin shiga da maɓallan ƙayyadaddun takamaiman a cikin lambar.
- Amfani da ƙayyadaddun adireshi na wucin gadi.
- Yin amfani da fasfo kuma ci gaba a cikin masu kula da keɓance-dukkan-style;
- Ƙaddamar da aikace-aikacen gidan yanar gizo bisa tushen tsarin gidan yanar gizon Flask tare da kunna yanayin gyara matsala.
- Amfani da hanyoyin kawar da bayanai marasa aminci.
- Yana amfani da MD2, MD4, MD5 da ayyukan hash SHA1.
- Amfani da madaidaitan sifar DES da yanayin ɓoyewa.
- Amfani da rashin tsaro aiwatarwar haɗin haɗin HTTPS a cikin wasu nau'ikan Python.
- Ƙayyadaddun fayil: // makirci a ulopen.
- Amfani da janareta na pseudorandom lokacin yin ayyukan sirri.
- Amfani da Telnet Protocol.
- Amfani da fassarori na XML marasa tsaro.
Bugu da ƙari, ana iya lura cewa an gano fakitin ɓarna 8 a cikin kundin adireshin PyPI. Kafin cirewa, an zazzage fakitin matsala fiye da sau dubu 30. Don ɓoye ayyukan mugunta da keɓance gargaɗin daga masu sauƙaƙa a tsaye a cikin fakiti, an sanya katangar lamba ta amfani da Base64 kuma an aiwatar da su bayan yanke hukunci ta amfani da kira mara kyau.
The noblesse, genesisbot, su ne, wahala, noblesse2 da noblesev2 kunshe-kunshe sun ƙunshi lambar don kutse lambobin katin kiredit da kalmomin shiga da aka adana a cikin masu bincike na Chrome da Edge, da kuma canja wurin alamun asusun daga aikace-aikacen Discord da aika bayanan tsarin, gami da hotunan allo na abun ciki. Fakitin pytagora da pytagora2 sun haɗa da ikon yin lodi da aiwatar da code na ɓangare na uku.
source: budenet.ru