Ndị na-eme nchọpụta sitere na Helmholtz Center for Information Security (CISPA) na Royal Institute of Technology (Sweden) nyochara ngwa nke Javascript prototype mmetọ usoro iji mepụta ọgụ na ikpo okwu Node.js na ngwa ndị a ma ama dabere na ya, na-eduga na mkpochapụ koodu.
Usoro mmetọ prototype na-eji akụkụ nke asụsụ Javascript na-enye gị ohere itinye akụrụngwa ọhụrụ na ụdị mgbọrọgwụ nke ihe ọ bụla. Ngwa nwere ike ịnwe ngọngọ koodu (ngwa) nke ihe eji dochie anya na-emetụta ọrụ ya; dịka ọmụmaatụ, koodu ahụ nwere ike ịnwe ihe nrụpụta dịka 'const cmd = option.cmd || "/ bin/sh"', mgbagha nke a ga-agbanwe ma ọ bụrụ na onye mwakpo ahụ jisie ike dochie ihe onwunwe "cmd" na ụdị mgbọrọgwụ.
Mwakpo na-aga nke ọma chọrọ ka ngwa ahụ nwee ike iji data mpụga mepụta akụrụngwa ọhụrụ na ụdị mgbọrọgwụ ihe ahụ, na ogbugbu ahụ ga-ezute ngwa nke dabere na akụrụngwa agbanweela. A na-emecha ịgbanwe ụdịdị ahụ site na ịhazi akụrụngwa ọrụ "__proto__" na "onye nrụpụta" na Node.js. Ngwongwo "__proto__" na-eweghachite ụdị nke klaasị ihe ahụ, na ihe "nrụpụta" na-eweghachite ọrụ ejiri mepụta ihe ahụ.
Ọ bụrụ na koodu ngwa ahụ nwere ọrụ "obj[a] [b] = uru" na ụkpụrụ ndị a na-esite na data mpụga, onye na-awakpo nwere ike ịtọ "a" na uru "__proto__" wee nweta ntinye nke ihe onwunwe ha. na aha "b" na uru "uru" na mgbọrọgwụ prototype nke ihe (obj.__proto__.b = uru;), na ihe onwunwe setịpụrụ na prototype ga-ahụ na ihe niile. N'otu aka ahụ, ọ bụrụ na koodu ahụ nwere okwu dị ka "obj[a][b][c] = uru", site na ịtọ "a" na uru "ihe nrụpụta", na "b" na "prototype" na ihe niile dị, ị nwere ike. kọwaa ihe onwunwe ọhụrụ na aha "c" yana uru "uru".
Ọmụmaatụ nke ịgbanwe prototype: const o1 = {}; const o2 = ihe ọhụrụ (); o1.__proto__.x = 42; // mepụta ihe onwunwe "x" na mgbọrọgwụ prototype console.log (o2.x); // nweta ihe onwunwe "x" site na ihe ọzọ // mmepụta ga-abụ 42, ebe ọ bụ na a gbanwere usoro mgbọrọgwụ site na ihe o1, nke a na-ejikwa na ihe o2.
Ọmụmaatụ nke koodu adịghị ike: ntinye ọrụ (arg1, arg2, arg3){const obj = {}; const p = obj[arg1]; p[arg2] = arg3; laghachi p; }
Ọ bụrụ na arụrụ ọrụ ntinye ntinye sitere na data ntinye, mgbe ahụ onye na-awakpo nwere ike gafere uru "__proto__" na arg1 wee mepụta ihe onwunwe nwere aha ọ bụla na prototype mgbọrọgwụ. Ọ bụrụ na ị gafere arg2 uru "toString" na arg3 uru 1, ị nwere ike ịkọwa ihe onwunwe "toString" (Object.prototype.toString=1) wee mebie ngwa ahụ n'oge oku na-aga na toString().
Ọmụmaatụ nke ọnọdụ nwere ike iduga mkpochapụ koodu mwakpo gụnyere imepụta akụrụngwa "isi", "shell", "ebupụ", "contextExtensions" na "env". Dịka ọmụmaatụ, onye na-awakpo nwere ike ịmepụta ihe onwunwe "isi" na mgbọrọgwụ prototype nke ihe, na-ede na ya ụzọ nke edemede ya (Object.prototype.main = "./../../pwned.js") na A ga-akpọ ihe onwunwe a n'oge ogbugbu na koodu nke ihe nrụpụta chọrọ ("mkpọ m"), ma ọ bụrụ na ngwugwu agụnyere akọwapụtaghị ihe onwunwe "isi" na ngwugwu.json (ọ bụrụ na akọwaghị ihe onwunwe ahụ, a ga-enweta ya site na prototype mgbọrọgwụ). Enwere ike dochie akụrụngwa "shell", "bupu" na "env" n'otu aka ahụ: ka rootProto = Object.prototype; rootProto["exports"] = {".":"./changelog.js"}; rootProto["1"] = "/ụzọ/to/npm/scripts/"; // mkpalite oku chọrọ ("/target.js"); Object.prototype.main = "/path/to/npm/scripts/changelog.js"; Object.prototype.shell = "ọnụ"; Object.prototype.env = {}; Object.prototype.env.NODE_OPTIONS = "-inspection-brk=0.0.0.0:1337"; // mkpalite oku chọrọ ("bytes");
Ndị nchọpụta nyochara ngwugwu 10 NPM nwere ọnụ ọgụgụ kachasị ukwuu nke ịdabere na ya wee chọpụta na 1958 n'ime ha enweghị isi ihe na ngwugwu.
Ihe atụ na-arụ ọrụ bụ nrigbu maka ịwakpo azụ azụ nke Server Parse nke na-ewepụ ihe evalFunctions. Iji mee ka njirimara nke adịghị ike dị otú ahụ dị mfe, e mepụtala ngwa ọrụ nke jikọtara ụzọ nyocha dị iche iche na nke siri ike. N'oge ule nke Node.js, achọpụtara ngwa 11 nke enwere ike iji hazie ọgụ na-eduga na mmezu nke koodu onye mwakpo ahụ. Na mgbakwunye na Parse Server, a chọpụtakwara adịghị ike abụọ na-erigbu na NPM CLI.
isi: opennet.ru