Gulu la ofufuza ochokera ku yunivesite ya Turku (Finland) adafalitsa zotsatira za kusanthula kwa phukusi mu malo osungirako PyPI kuti agwiritse ntchito zomanga zomwe zingakhale zoopsa zomwe zingayambitse chiwopsezo. Pakuwunika kwa phukusi la 197, mavuto omwe angakhalepo achitetezo 749 adadziwika. 46% ya phukusi ili ndi vuto limodzi lotere. Zina mwa zovuta zomwe zimachitika ndizovuta zomwe zimakhudzana ndi kusamalitsa kosiyana komanso kugwiritsa ntchito zinthu zomwe zimalola kusinthana kwa code.
Pamabvuto 749 omwe adadziwika, 442 (41%) adalembedwa kuti ndi ang'onoang'ono, 227 (30%) ngati mavuto apakati ndipo 80 (11%) ndi owopsa. Maphukusi ena amawonekera pagulu la anthu ndipo amakhala ndi mavuto masauzande ambiri: mwachitsanzo, phukusi la PyGGI linazindikira mavuto 2589, makamaka okhudzana ndi kugwiritsa ntchito "kuyesera-kupatula-pass" kumanga, ndi phukusi la appengine-sdk linapeza mavuto 2356. Mavuto ambiri amapezekanso mu genie.libs.ops, pbcore ndi genie.libs.parser phukusi.
Tiyenera kuzindikira kuti zotsatirazo zinapezedwa potengera kusanthula kwachidziwitso cha automated static, chomwe sichimaganizira zomwe zikugwiritsidwa ntchito pazinthu zina. Wopanga zida zachifwamba, zomwe zidagwiritsidwa ntchito kusanthula kachidindoyo, adanenanso kuti chifukwa cha kuchuluka kwabodza, zotsatira za jambulani sizingaganizidwe kuti ndizowopsa popanda kuwunikiranso pamanja pa nkhani iliyonse.
Mwachitsanzo, wosanthula amawona kugwiritsa ntchito majenereta osadalirika a manambala ndi ma hashing algorithms, monga MD5, kukhala vuto lachitetezo, pomwe mu code ma algorithms oterowo angagwiritsidwe ntchito pazinthu zomwe sizikhudza chitetezo. Analyzer amawonanso kukonzanso kulikonse kwa data yakunja muzochita zosatetezeka monga pickle, yaml.load, subprocess ndi eval ngati vuto, koma kugwiritsa ntchito kumeneku sikumaphatikizapo chiwopsezo ndipo makamaka kugwiritsa ntchito izi zitha kuchitika popanda chiwopsezo chachitetezo. .
Zina mwa mayeso omwe amagwiritsidwa ntchito mu phunziroli:
- Kugwiritsa ntchito zomwe zingakhale zosatetezeka exec, mktemp, eval, mark_safe, etc.
- Kukhazikitsa kosatetezedwa kwa ufulu wofikira mafayilo.
- Kulumikiza socket ya netiweki ku ma network onse.
- Kugwiritsa ntchito mawu achinsinsi ndi makiyi ofotokozedwa mwatsatanetsatane mu code.
- Kugwiritsa ntchito chikwatu chodziwikiratu kwakanthawi.
- Gwiritsani ntchito chiphaso ndi kupitiriza kugwira ntchito zamitundu yonse;
- Kukhazikitsa mapulogalamu a pa intaneti kutengera Flask web framework yokhala ndi vuto loyatsa.
- Kugwiritsa ntchito njira zosatetezedwa za data deerialization.
- Imagwiritsa ntchito MD2, MD4, MD5 ndi SHA1 hashi.
- Kugwiritsa ntchito ma ciphers a DES osatetezeka komanso njira zolembera.
- Kugwiritsa ntchito kotetezedwa kwa HTTPSConnection mumitundu ina ya Python.
- Kufotokozera fayilo: // chiwembu mu urlopen.
- Kugwiritsa ntchito majenereta a pseudorandom pochita ntchito za cryptographic.
- Kugwiritsa ntchito protocol ya Telnet.
- Kugwiritsa ntchito mafayilo osatetezedwa a XML.
Kuphatikiza apo, zitha kudziwika kuti mapaketi oyipa a 8 adapezeka m'ndandanda wa PyPI. Asanachotsedwe, mapaketi ovuta adatsitsidwa nthawi zopitilira 30. Kubisa zochita zoyipa ndikulambalalitsa machenjezo kuchokera kwa osanthula osavuta osasunthika m'maphukusi, ma code block adasungidwa pogwiritsa ntchito Base64 ndikuchitidwa pambuyo poyimba foni.
The noblesse, genesisbot, ali, amavutika, noblesse2 ndi noblessev2 phukusi lili ndi code kuti atenge manambala a kirediti kadi ndi mapasiwedi osungidwa mu Chrome ndi Edge asakatuli, komanso kusamutsa ma tokeni aakaunti kuchokera ku pulogalamu ya Discord ndikutumiza zidziwitso zamakina, kuphatikiza zowonera pazenera. Phukusi la pytagora ndi pytagora2 limaphatikizapo kutha kutsitsa ndikuchita ma code omwe angathe kuchitidwa.
Source: opennet.ru