Rashin lahani a cikin NPM wanda ke ba da damar gyara fayilolin sabani yayin shigar da kunshin

A cikin sabuntawa na mai sarrafa fakitin NPM 6.13.4, wanda aka haɗa a cikin rarraba Node.js kuma ana amfani dashi don rarraba kayayyaki a cikin yaren JavaScript, shafe lahani uku (CVE-2019-16775, CVE-2019-16776 и CVE-2019-16777), wanda ke ba da damar gyara fayilolin tsarin sabani ko a sake rubuta su yayin shigar da fakitin da maharin ya shirya. A matsayin tsarin aiki don kariya, zaku iya shigar da shi tare da zaɓin "-ignore-scripts", wanda ya hana aiwatar da fakitin sarrafa kayan aiki. Masu haɓaka NPM sun yi nazarin fakitin da ke cikin ma'ajiyar ajiyar kuma ba su sami alamun matsalolin da aka gano da ake amfani da su don kai hare-hare ba.

CVE-2019-16777 shirye-shirye a cikin sakewa kafin 6.13.4 kuma yana ba ku damar sake rubuta fayilolin aiwatar da tsarin yayin shigar da kunshin duniya. Kuna iya maye gurbin fayiloli kawai a cikin kundin adireshin inda aka shigar da fayilolin aiwatarwa (yawanci /usr/local/bin).

CVE-2019-16775 и CVE-2019-16776 bayyana a cikin sakewa kafin 6.13.3 kuma yana ba ku damar rubuta fayil na sabani ta hanyar ƙirƙirar hanyar haɗi ta alama zuwa fayiloli a waje da kundin adireshi tare da kayayyaki (node_modules) ko ta hanyar sarrafa filin bin cikin kunshin.json (hanyoyi tare da "/ ../" sun kasance. yarda a cikin bin filin).

source: budenet.ru