Ipakethi ye-pac-resolver ye-NPM, enezinto ezikhutshelweyo ezingaphezulu kwezigidi ezi-3 ngeveki, inomngcipheko (CVE-2021-23406) evumela ukuba ikhowudi yayo yeJavaScript iqhutywe kumxholo wesicelo xa uthumela izicelo zeHTTP kwiiprojekthi zeNode.js xhasa umncedisi wommeli womsebenzi woqwalaselo oluzenzekelayo.
Ipakethe ye-pac-resolver yahlulahlula iifayile zePAC eziquka iscript soqwalaselo lommeli ozenzekelayo. Ifayile yePAC iqulathe rhoqo ikhowudi yeJavaScript enomsebenzi we FindProxyForURL ochaza ingqiqo yokukhetha ummeli ngokuxhomekeke kumamkeli kunye neURL eceliweyo. Undoqo wobuthathaka kukuba ukwenza le khowudi yeJavaScript kwi-pac-resolver, i-VM API enikezwe kwi-Node.js isetyenzisiwe, ekuvumela ukuba wenze ikhowudi yeJavaScript kwimeko eyahlukileyo ye-injini ye-V8.
I-API ekhankanyiweyo iphawulwe ngokucacileyo kumaxwebhu njengengajoliswanga ukuqhuba ikhowudi engathenjwa, njengoko ingaboneleli ngokuzimeleyo ngokupheleleyo kwekhowudi eqhutywayo kwaye ivumela ukufikelela kumxholo wokuqala. Lo mba uye wasonjululwa kwi-pac-resolver 5.0.0, eye yasuswa ukuze isebenzise ithala leencwadi le-vm2, elibonelela ngenqanaba eliphezulu lokuzibekela bucala elilungele ukuqhuba ikhowudi engathenjwa.
Xa usebenzisa inguqulo esengozini ye-pac-resolver, umhlaseli ngokugqithiswa kwefayile yePAC eyenzelwe ngokukodwa unokuphumeza ukuphunyezwa kwekhowudi yakhe yeJavaScript kumxholo wekhowudi yeprojekthi usebenzisa iNode.js, ukuba le projekthi isebenzisa amathala eencwadi anokuxhomekeka ngepac-resolver. Ezona zidumileyo kumathala eencwadi anengxaki yi-Proxy-Agent, edweliswe njengoxhomekeke kwiiprojekthi ezingama-360, eziquka i-urllib, aws-cdk, mailgun.js kunye nezixhobo ze-firebase, zizonke ezikhutshelweyo ezingaphezulu kwezigidi ezithathu ngeveki.
Ukuba isicelo esinokuxhomekeka kwi-pac-resolver silayisha ifayile yePAC enikezelwe yinkqubo exhasa iWPAD proxy ezenzekelayo yoqwalaselo protocol, emva koko abahlaseli abanofikelelo kuthungelwano lwasekhaya bangasebenzisa unikezelo lwezicwangciso zommeleli ngeDHCP ukufaka iifayile zePAC ezikhohlakeleyo.
umthombo: opennet.ru