Facebook ya gabatar da wani buɗaɗɗen mai nazarin tsaye wanda ake kira «Pysa»(Python Static Analyzer) wanda shine tsara don gano yuwuwar rauni a lambar Python.
pysa bayar da bayanan kwararar bayanai sakamakon aiwatar da lambar, wanda ba ka damar gano yawancin lahani da matsaloli na sirri game da amfani da bayanai a wuraren da bai kamata ya bayyana ba.
Misali, Pysa iya bin diddigin ɗanyen bayanan waje a cikin kira waɗanda ke aiwatar da shirye-shiryen waje, a cikin ayyukan fayil da kuma cikin ayyukan SQL.
A yau, muna raba cikakkun bayanai game da Pysa, wani kayan aiki ne na yau da kullun da muka gina don ganowa da hana matsalolin tsaro da sirri a cikin lambar Python. A shekarar da ta gabata, mun raba yadda muka ƙirƙira Zoncolan, wani kayan aiki na yau da kullun wanda ke taimaka mana nazarin layuka sama da miliyan 100 na lambar hack kuma ya taimaka injiniyoyi su hana dubban matsalolin tsaro. Wannan nasarar ta ba mu ƙarfin haɓaka Pysa, wanda ke gajerun kalmomi ga Python Static Analyzer.
Pysa yana amfani da algorithms iri ɗaya don yin nazarin tsaye har ma da raba lambar tare da zoncolan. Kamar Zoncolan, Pysa waƙoƙi bayanan gudana ta hanyar shirin.
Mai amfani yana ayyana tushe (wuraren da mahimman bayanai suka samo asali) da kuma nutsewa (wuraren da bayanan asalin bazai ƙare ba).
Don aikace-aikacen tsaro, yawancin hanyoyin da aka fi sani sune wuraren da bayanan mai amfani da mai amfani suka shiga aikace-aikacen, kamar ƙamus ɗin Django.
Masu karɓa suna da yawa da yawa, amma zasu iya haɗawa da APIs waɗanda ke aiki da lambar, kamar su eval, ko APIs masu isa ga tsarin fayil, kamar suos.open.
Pysa yana aiwatar da zagaye na bincike don gina zane-zane don tantance waɗanne ayyuka ne ke dawo da bayanai daga tushe kuma waɗanne ayyuka suke da sigogi waɗanda daga ƙarshe suka faɗi kwatami. Idan Pysa ya gano cewa tushe daga ƙarshe yana haɗuwa da kwatami, yana ba da rahoton matsala.
Aikin nazari yana ganowa don gano maɓuɓɓukan bayanan mai shigowa da kira masu haɗari, waɗanda ba za a yi amfani da ainihin bayanan ba.
Pysa tana lura da izinin bayanan ta hanyar jerin ayyukan kira kuma yana haɗa bayanan asali tare da wurare masu haɗari a cikin lambar.
Saboda muna amfani da tushen tushen sabar Python kamar Django da Tornado don samfuranmu, Pysa na iya fara fuskantar matsalolin tsaro a cikin ayyukan da suke amfani da waɗannan tsarin tun farkon farawa. Amfani da Pysa don tsarin ba mu da ɗaukar hoto har yanzu yana da sauƙi kamar ƙara linesan layukan sanyi don gaya wa Pysa inda bayanai ke zuwa cikin sabar.
Halin rashin daidaituwa na yau da kullun da Pysa ya gano shine batun sake turawa (CVE-2019-19775) a cikin dandalin aika saƙon Zulip, wanda ya haifar da wucewa ta ƙa'idodin waje marasa tsabta yayin nuna hotunan hoto.
Ana iya amfani da damar bin diddigin bayanan Pysa don tabbatar da amfani da ƙarin firam da kuma ƙayyade bin ka'idojin amfani da bayanan mai amfani.
Alal misali, Pysa ba tare da ƙarin abubuwan daidaitawa ba za'a iya amfani dasu don tabbatar da ayyukan ta amfani da tsarin Django da Mahaukaciyar guguwa. Pysa kuma na iya gano raunin rashin dacewa a aikace-aikacen yanar gizo, kamar maye gurbin SQL da rubutun giciye (XSS).
A kan Facebook, ana amfani da mai nazarin don tabbatar da lambar sabis ɗin Instagram. A farkon zangon farko na 2020, Pysa ya taimaka gano 44% na duk matsalolin da injiniyoyin Facebook suka samo a cikin tushen lambar uwar garken Instagram.
An gano matsalolin 330 a cikin aikin na tabbatarwar canjin kai tsaye ta amfani da Pysa, 49 (15%) waɗanda aka kimanta mahimmanci kuma 131 (40%) ba masu haɗari bane. A cikin lamura 150 (45%) an danganta matsalolin ga ƙage na ƙarya.
Sabuwar fasar an tsara ta azaman ƙari ga kayan aiki na tabbatar nau'in Pyre kuma an sanya shi a cikin ma'ajiyar ku. An saki lambar a ƙarƙashin lasisin MIT.
Finalmente idan kanaso ka kara sani game da shi, zaku iya bincika bayanan a cikin asalin gidan. Haɗin haɗin shine wannan.