Phukusi la NPM la pac-resolver, lomwe limatsitsa zopitilira 3 miliyoni pa sabata, lili ndi chiopsezo (CVE-2021-23406) chomwe chimalola kuti JavaScript code yake ichitidwe malinga ndi pulogalamuyo potumiza zopempha za HTTP kuchokera kumapulojekiti a Node.js omwe thandizirani ntchito yosinthira ma seva ya proxy.
Phukusi la pac-resolver limaphatikiza mafayilo a PAC omwe ali ndi masinthidwe a proxy okha. Fayilo ya PAC ili ndi khodi ya JavaScript yokhazikika yokhala ndi ntchito ya FindProxyForURL yomwe imatanthawuza zomveka posankha woyimira kutengera wolandila ndi ulalo womwe wafunsidwa. Zomwe zili pachiwopsezo ndikuti kuti mugwiritse ntchito JavaScript code mu pac-resolver, VM API yoperekedwa mu Node.js idagwiritsidwa ntchito, yomwe imakulolani kuti mugwiritse ntchito JavaScript code mumtundu wina wa injini ya V8.
API yotchulidwayo imalembedwa mwatsatanetsatane muzolemba kuti siinapangidwe kuti igwiritse ntchito code yosadalirika, chifukwa sichimapereka kudzipatula kwathunthu kwa code yomwe ikuyendetsedwa ndikulola kuti munthu alowe muzolemba zoyambirira. Nkhaniyi yayankhidwa mu pac-resolver 5.0.0, yomwe yasunthidwa kuti igwiritse ntchito laibulale ya vm2, yomwe imapereka mlingo wapamwamba wodzipatula woyenera kuyendetsa code yosadalirika.
Mukamagwiritsa ntchito mtundu wosatetezeka wa pac-resolver, wowukira kudzera pafayilo yopangidwa mwapadera ya PAC atha kukwaniritsa khodi yake ya JavaScript malinga ndi code ya polojekiti yogwiritsa ntchito Node.js, ngati polojekitiyi igwiritsa ntchito malaibulale omwe amadalira ndi pac-resolver. Ma library omwe ali ndi mavuto ambiri ndi Proxy-Agent, omwe amalembedwa kuti amadalira ma projekiti 360, kuphatikiza urllib, aws-cdk, mailgun.js ndi zida za firebase, zomwe zimatsitsa zopitilira mamiliyoni atatu pa sabata.
Ngati pulogalamu yomwe imadalira pac-resolver ikatsegula fayilo ya PAC yoperekedwa ndi makina omwe amathandizira WPAD proxy automatic configuration protocol, owukira omwe ali ndi mwayi wopeza netiweki yapafupi atha kugwiritsa ntchito zochunira za projekiti kudzera pa DHCP kuyika mafayilo oyipa a PAC.
Source: opennet.ru