ProHoster > Блог > labaran intanet > Rashin lahani a cikin kunshin NPM na pac-resolver tare da zazzagewa miliyan 3 kowane mako

Rashin lahani a cikin kunshin NPM na pac-resolver tare da zazzagewa miliyan 3 kowane mako

Kunshin NPM na pac-resolver, wanda ke da abubuwan zazzagewa sama da miliyan 3 a kowane mako, yana da rauni (CVE-2021-23406) wanda ke ba da damar aiwatar da lambar JavaScript ta cikin mahallin aikace-aikacen lokacin aika buƙatun HTTP daga ayyukan Node.js waɗanda goyan bayan aikin daidaitawar uwar garken wakili na atomatik.

Kunshin mai warware matsalar pac yana rarraba fayilolin PAC waɗanda suka haɗa da rubutun saitin wakili na atomatik. Fayil ɗin PAC ya ƙunshi lambar JavaScript na yau da kullun tare da aikin FindProxyForURL wanda ke bayyana ma'anar zabar wakili dangane da mai watsa shiri da URL ɗin da ake nema. Mahimmancin raunin shine don aiwatar da wannan lambar JavaScript a cikin pac-resolver, an yi amfani da VM API da aka bayar a Node.js, wanda ke ba ku damar aiwatar da lambar JavaScript a cikin wani mahallin daban-daban na injin V8.

API ɗin da aka kayyade an yi masa alama a sarari a cikin takaddun kamar yadda ba a yi niyya don gudanar da lambar da ba a amince da ita ba, saboda baya ba da cikakkiyar keɓewar lambar da ake gudanar da ita kuma tana ba da damar shiga ainihin mahallin. An warware batun a cikin pac-resolver 5.0.0, wanda aka motsa don amfani da ɗakin karatu na vm2, wanda ke ba da babban matakin keɓe wanda ya dace da gudanar da lambar da ba a amince da ita ba.

Rashin lahani a cikin kunshin NPM na pac-resolver tare da zazzagewa miliyan 3 kowane mako

Lokacin amfani da nau'in pac-resolver mai rauni, mai hari ta hanyar watsa fayil ɗin PAC na musamman zai iya cimma aiwatar da lambar JavaScript ɗin sa a cikin mahallin lambar aikin ta amfani da Node.js, idan wannan aikin yana amfani da ɗakunan karatu waɗanda ke da dogaro. tare da pac-resolver. Mafi shahara daga cikin ɗakunan karatu masu matsala shine Wakilin wakili, wanda aka jera azaman dogaro akan ayyuka 360, gami da urllib, aws-cdk, mailgun.js da kayan aikin wuta, jimlar sama da abubuwan zazzagewa miliyan uku a mako.

Idan aikace-aikacen da ke da abin dogaro akan pac-resolver yana loda fayil ɗin PAC da aka bayar ta tsarin da ke goyan bayan ka'idar daidaitawa ta atomatik na WPAD, to maharan da ke da damar shiga cibiyar sadarwar gida za su iya amfani da rarraba saitunan wakili ta hanyar DHCP don saka fayilolin PAC masu cutarwa.

source: budenet.ru

Add a comment