Masu haɓakawa wadanda ke kula da aikin daga manajan kunshin NPM, aka sake shi kwanan nan aka sake shi sabunta gyara zuwa NPM 6.13.4 an haɗa su a cikin isarwar Node.js kuma anyi amfani dasu don rarraba kayayyaki na JavaScript.
Wannan sabon salon gyara na manajan shine ƙaddamar don warware matsaloli uku hakan yana ba da damar sauya fayilolin tsarin sabani ko sake rubuta su yayin shigar da kunshin da maharin ya shirya.
CVE-2019-16775
Wannan yanayin rauni yana shafar sigar NPM CLI kafin 6.13.3, da kyau kuna sun kasance masu saukin kamuwa da rubuce-rubucen fayil. Agesan fakiti na iya ƙirƙirar alamomin alama zuwa fayiloli a wajen babban fayil ɗin node_modules ta cikin kwandon shara bayan sakawa.
An shigar da shi daidai daidai a cikin kwandon shara. Json filin zai ba da damar editan kunshin ya kirkiro hanyar isharar alama wacce ke nuna fayiloli masu son kai akan tsarin mai amfani lokacin da aka shigar da kunshin. Wannan halin har yanzu yana yiwuwa ta hanyar rubutun shigarwa.
CVE-2019-16776
A cikin wannan yanayin yanayin NPM CLI sigar kafin 6.13.3 ana shafa ta hanyar rubuta fayil mai sabani. Tunda baza ku iya hana samun damar zuwa manyan fayiloli a waje da node_modules babban fayil ɗin da aka nufa ta cikin filin bin ba.
Kyakkyawan shigarwar shigarwa cikin filin bin kunshin.json zai ba da damar editan kunshin ya gyara da samun damar fayiloli na son kai bisa tsarin mai amfani idan aka shigar da kunshin. Wannan halin har yanzu yana yiwuwa ta hanyar rubutun shigarwa.
A cikin hanyoyin bin kwal tare da "/../" an ba su izinin
CVE-2019-16777
A ƙarshe, Sigogin NPM CLI kafin 6.13.4 suna da rauni a cikin wannan yanayin rauni zuwa fayil mai sabani overwrite. Tunda ba zaku iya hana wasu binaries sake rubuta rubabbun bayanan da ake da su a duniya ba.
Alal misali, idan an sanya fakiti a duniya kuma an ƙirƙiri binary sabis, duk wani shigarwa mai zuwa kunshin da ke ƙirƙirar binary sabis zai sake rubuta tsohon binary service. Har yanzu ana ba da izinin wannan ɗabi'ar a kan shigarwar gida da kuma ta hanyar rubutun shigarwa.
Kuna iya maye gurbin fayiloli kawai a cikin kundin adireshin inda aka shigar da fayilolin aiwatarwa (yawanci / usr, / na gida, / bin).
Kodayake muhimmin mahimmanci ga waɗannan lahani shine cewa mutumin da yake son yin amfani da waɗannan kuskuren dole ne wanda aka azabtar ya shigar da kunshin tare da shigarwar bin ta musamman. Koyaya, kamar yadda muka gani a baya, wannan ba shingen da ba za a iya shawo kansa ba ne.
Securityungiyar tsaro a npm, Inc. sun kasance suna yin rajistar rajista don misalai na wannan harin, kuma ba su sami wasu kunshin da aka buga a cikin rajista tare da wannan amfani ba. Wannan baya bada garantin cewa ba ayi amfani da shi ba, amma yana nufin cewa ba a amfani da shi a halin yanzu a cikin fakitin da aka buga zuwa rajista.
Zamu ci gaba da sanya ido tare da daukar mataki don hana miyagun yan wasa amfani da wannan raunin a gaba. Koyaya, ba zamu iya bincika duk hanyoyin da za'a iya samun npm ɗin kunshin ba (rajista masu zaman kansu, madubai, wuraren ajiya na git, da sauransu), saboda haka yana da mahimmanci a sabunta da wuri-wuri.
Shirya matsala
A matsayin babban mafita, ana ba da shawarar ka sabunta zuwa sabon sigar gyara kamar yadda kunshin.json ke nazarin dakunan karatu da ake amfani da su a cikin NPM v6.13.3 an sabunta su ta hanyar da za ta tsabtace kuma tabbatar da duk shigarwar da ke cikin filin bin don cire ci gaban gaba baƙaƙe, shigarwar hanya, da sauran hanyoyin tserewa, ta amfani da ingantacciyar hanyar ingantacciyar hanyar da aka gina a cikin Node.js.
Ko da yake, azaman motsa jiki, ana iya shigar dashi tare da zaɓi –Salantar-rubutun, wanda ya hana gudanar da ginannun kayan direbobi.
Ba tare da ɓata lokaci ba, idan kuna son ƙarin sani game da kwari, kuna iya bincika cikakkun bayanai a cikin npm blog post A cikin mahaɗin mai zuwa.
Aƙarshe, ga waɗanda suke son girka sabon sigar, zasu iya yin hakan daga tashoshin hukuma ko ta zaɓar tattarawa daga lambar tushe. Don wannan zaka iya bin umarnin a ciki mahada mai zuwa.