Kwanan nan labari ya bazu cewa An gano mummunan rauni a ciki ma'ajiyar kunshin rubygems.org (An riga an tsara raunin rauni a ƙarƙashin CVE-2022-29176), wanda damar ba tare da izini ba, maye gurbin fakitin sauran mutane a cikin ma'ajiyar ta hanyar ba da halaltaccen kunshin tare da loda wani fayil mai suna iri ɗaya da lambar sigar a wurinsa.
An ambata cewa raunin ya faru ne saboda bug a cikin mai sarrafa aikin "yank"., wanda ke ɗaukar ɓangaren sunan bayan jigon a matsayin sunan dandamali, wanda ya ba da damar fara cire fakitin waje waɗanda suka dace da ɓangaren sunan har zuwa halin ɗabi'a.
Musamman a cikin lambar sarrafawa na aiki "yank", call 'find_by!(cikakken suna: "#{rubygem.name}-#{slug}")' an yi amfani da shi don nemo fakiti, yayin da aka mika ma'aunin "slug" ga mai kunshin don tantance sigar cirewa.
Mai fakitin "rails-html" zai iya ƙayyade "sanitizer-1.2.3" maimakon "1.2.3", wanda zai sa aikin ya shafi "rails-html-sanitizer-1.2.3" kunshin ″ daga wani. »
An buga shawarar tsaro don Rubygems.org jiya.
Shawarar ta shafi wani kwaro wanda ya baiwa mai amfani da mugayen damar haƙa wasu duwatsu masu daraja da loda fayiloli daban-daban masu suna iri ɗaya, lambar sigar, da dandamali daban-daban.
Bari mu yi zurfin bincike don ganin abin da ya faru yayin da ake aiwatar da aikin hakar. A matsayin hujja, bari mu yi tunanin wani yanayi inda muka ƙirƙiri wani dutse mai daraja mai suna "rails-html" da nufin samun damar shiga mara izini ga gem ɗin "rails-html-sanitizer" da ake amfani da shi sosai.
An ambata cewa dole ne a cika sharudda uku, don samun nasarar amfani da wannan raunin:
- Za a iya yin harin ne kawai akan fakitin da ke da halin saƙa a cikin sunansu.
- Ya kamata maharin ya iya sanya fakitin dutse mai daraja tare da sashin sunan har zuwa halin saƙa. Misali, idan harin ya sabawa kunshin "rails-html-sanitizer", dole ne maharin ya sanya nasu kunshin "rails-html" a cikin ma'ajiyar.
- Dole ne an ƙirƙiri fakitin da aka kai harin a cikin kwanaki 30 na ƙarshe ko kuma ba a sabunta shi ba har tsawon kwanaki 100.
Matsalar wani mai binciken tsaro ne ya gano shi a matsayin wani ɓangare na shirin kyauta na HackerOne don nemo matsalolin tsaro a cikin sanannun ayyukan buɗaɗɗen tushe.
Matsalar gyarawa a RubyGems.org akan Mayu 5 kuma a cewar masu haɓakawa, Har yanzu ba a gano alamun cin zarafi ba na rauni a cikin rajistan ayyukan na watanni 18 da suka gabata. Har ila yau, an gudanar da bincike na sama-sama ne kawai, kuma ana shirin yin bincike mai zurfi a nan gaba.
A halin yanzu, mun yi imanin cewa ba a yi amfani da wannan raunin ba.
RubyGems.org yana aika saƙon imel zuwa duk masu mallakin gem lokacin da aka saki ko cire sigar gem. Ba mu sami imel ɗin goyan baya daga masu lu'u-lu'u masu bayyana cewa an haƙa duwatsu masu daraja ba tare da izini ba.
Binciken sauye-sauyen gem a cikin watanni 18 da suka gabata ba a sami misalan amfani da wannan lahani na mugunta ba. Ci gaba da yin bincike don kowane yuwuwar amfani da wannan cin zarafi ba a sami misalin wannan cin gajiyar da ake amfani da shi don ɗaukar wani dutse mai daraja ba tare da izini ba a cikin tarihin RubyGems. Ba za mu iya ba da tabbacin hakan bai taɓa faruwa ba, amma ba ze yi yuwuwa ba.
Don tabbatar da ayyukan ku, ana ba da shawarar yin nazarin tarihin ayyuka a cikin fayil ɗin Gemfile.lock Ana bayyana ayyukan ɓarna a gaban canje-canje masu suna iri ɗaya da sigar, ko canjin dandamali (misali, lokacin fakitin xxx-1.2.3). An sabunta 1.2.3 zuwa xxx-XNUMX-xxx).
A matsayin mafita a kan ɓoyayyen fakitin a cikin ci gaba da tsarin haɗin kai ko lokacin buga ayyukan, Ana ba masu haɓakawa shawarar yin amfani da Bundler tare da zaɓuɓɓukan "-daskararre" ko "-aiwatarwa" don tabbatar da abin dogaro.
A ƙarshe, idan kuna sha'awar ƙarin sani game da shi, zaku iya bincika cikakkun bayanai a cikin bin hanyar haɗi.