Chiwopsezo chachikulu chadziwika mu Cloudflare's cdnjs content delivery network, yomwe idapangidwa kuti ifulumizitse kutumizidwa kwa malaibulale a JavaScript, kulola kukhazikitsidwa kwa ma code pa ma seva a CDN. Kuopsa kwa vutoli kumakulitsidwa chifukwa chakuti pafupifupi 12.7% ya malo onse pa intaneti amagwiritsa ntchito ntchitoyi kutsitsa malaibulale a JavaScript, ndipo kusagwirizana kwa zomangamanga kumapangitsa kuti zitheke kusintha malo osungiramo mabuku omwe amaperekedwa ndi malo aliwonsewa.
Ntchito ya cdnjs imatsitsa mapaketi kuchokera ku Git kapena posungira NPM, pambuyo pake imalola tsamba lililonse kugwiritsa ntchito netiweki yaulere ya Cloudflare kuti ifulumire kutsitsa malaibulale a JavaScript. Powerenga ma code a ma cdnjs omwe adasindikizidwa pa GitHub, zidawululidwa kuti kumasula mapaketi a NPM m'mabuku a tgz, gawo lokhazikika la archive/tar muchilankhulo cha Go limagwiritsidwa ntchito, lomwe limapanga mndandanda wamafayilo monga momwe ziliri, osasintha njira. . Ngati script imasula zomwe zili pamndandanda womwe wapatsidwa, kupezeka kwa mafayilo monga "../../../../../../../tmp/test" kungatheke. yambitsani kuchotsa mafayilo osasinthika mudongosolo, momwe ufulu wofikira umalola.
Zinanenedwa kuti wowukira atha kulembetsa kuti awonjezere laibulale yake ku ma cdnjs ndikuyika zolemba zakale zomwe zidapangidwa mwapadera zomwe zili ndi zilembo za "../" panjira yopita kunkhokwe ya NPM. Pa maseva a cdnjs, ntchito ya "autoupdate" imachitika nthawi ndi nthawi, pomwe woyang'anira amatsitsa zatsopano laibulale yomwe akufuna ndikutulutsa zomwe zilimo. Pogwiritsa ntchito mafayilo okhala ndi njira "../", wowukira amatha kulemba mafayilo ndi zolembedwa zautumiki ndikuyika ma code awo pa seva yomwe kumasula kudachitika.
Pankhani yotsitsa zosintha kuchokera ku Git, zidadziwika kuti wothandizira kutsitsa zosinthazo sanaganizire maulalo ophiphiritsa pokopera mafayilo kuchokera ku Git. Izi zidapangitsa kuti zitheke kuwerengera mafayilo aliwonse kuchokera pa seva powonjezera maulalo ophiphiritsa ku Git.
Zinaganiza zoyamba kuyesa ndikuwonetsa ma cdnjs akubera kuti alandire mphotho ku HackerOne poyesa malingaliro okhudza kuwerenga mafayilo. Ulalo wophiphiritsa test.js wawonjezedwa kunkhokwe ya Git ya laibulale ya JavaScript yotumizidwa kudzera pa CDN, kuloza ku fayilo ya /proc/self/maps. Pambuyo pofalitsa buku latsopano la laibulale, woyang'anira zosintha adakonza chosungirachi ndikusindikiza fayilo yotchulidwa mu cdnjs (test.js idapangidwa ngati ulalo wophiphiritsa ndipo fayiloyi itafunsidwa, zomwe zili mu /proc/self/maps zidabwezedwa. ).
Kuyika ulalo wophiphiritsa ku fayilo /proc/self/environ, wolemba kafukufukuyu adawona kuti zomwe zidaperekedwazo zinali ndi mayendedwe achilengedwe GITHUB_REPO_API_KEY ndi WORKERS_KV_API_TOKEN. Zosintha zoyambirira zidasunga kiyi ya API kuti mulembe zolembera za robocdnjs pa GitHub. Kusintha kwachiwiri kunasunga chizindikiro ku KV yosungirako mu cdnjs. Pogwiritsa ntchito zomwe zalandilidwa, wowukirayo atha kusintha ma cdnjs ndikusokoneza magwiridwe antchito.
Source: opennet.ru