Mazuva mashoma apfuura nzira inoshamisa iri nyore yakaburitswa iyo inobvumidza kurwisa kutsamira mukushandisa izvo zvinogadzirwa uchishandisa zvemukati mapakeji ezvinyorwa. Vatsvakurudzi vakaona dambudziko ivo vakakwanisa kumhanyisa kodhi yako pane maseva emukati emakambani makumi matatu neshanu, anosanganisira PayPal, Microsoft, Apple, Netflix, Uber, Tesla, uye Shopify.
Hacks akaitwa sechikamu chezvirongwa zveBug Bounty, mukubatana nemakambani akarwiswa, uye vapari vemhosva vakatowana madhora zana nemakumi matatu emabhonasi ekuona kushomeka.
Maitiro acho akavakirwa pachokwadi chekuti makambani mazhinji anoshandisa zvakajairika repository kutsamira kweNPM, PyPI uye RubyGems mune avo ekushandisa mukati, pamwe nekuenderana kwemukati kusinga ziviswe pachena kana kudhanilodwa kubva kune avo pachavo marekodhi.
Dambudziko nderekuti mamaneja emapakeji senge npm, pombi uye gem Vanoedza kurodha mukati kutsamira kwemakambani, kunyangwe kubva kunzvimbo dzevanhu. Kurwisa, Ingo tsanangudza mazita emapakeji ane kutsamira kwemukati uye gadzira ako mapakeji ane mazita akafanana mune zvinyorwa zveveruzhinji zveNPM, PyPI uye RubyGems.
Dambudziko harina kunangana neNPM, PyPI, uye RubyGems, uye rinozviratidzawo pane mamwe masisitimu akadai seNuGet, Maven, neYarn.
Pfungwa yenzira yakatsanangurwa yakauya mushure mekunge muongorori aona netsaona kuti mune inowanikwa pachena kodhi yakatumirwa paGitHub, makambani mazhinji haabvise kutaurwa kwekuwedzera kutsamira kubva kumafaira avo ekuratidzira inoshandiswa muzvirongwa zvemukati kana kana uchiita zvakawandisa zvinoshanda. Maitiro akafanana akawanikwa muJavaScript kodhi yewebhu masevhisi, pamwe neNode.JS, Python, uye Ruby mapurojekiti emakambani mazhinji.
Kuburitsa kukuru kwaive kwakabatana nekuiswa kwezviri mukati kubva papakeji.json mafaera ari kuwanikwa pachena kodhi yeJavaScript panguva yekuvaka, pamwe nekushandiswa chaiko kwenzira zvinhu mu require () mafoni, ayo anogona kushandiswa kutonga mazita ekutsamira.
Kuongorora kwemamirioni akati wandei emakambani emakambani kwakaburitsa zviuru zvemazana JavaScript mapepa mazita ayo aive asiri muNPM repository. Mushure mekunyora dhatabhesi remazita emapakeji emukati, muongorori akafunga kuitisa chiedzo chekubiridzira zvivakwa zvemakambani anotora chikamu muzvirongwa zveBug Bounty. Mhedzisiro yacho yaishamisa zvinoshamisa uye muongorori akakwanisa kumhanyisa kodhi yake pane mazhinji ekuvandudza makomputa uye maseva ane basa rekuvaka kana kuyedza zvichibva pane inoenderera yekubatanidza masisitimu
Kana uchirodha pasi zvinoenderana, mamaneja epakeji npm, pip, uye gem kazhinji akaisa mapakeji kubva kunzvimbo dzekutanga dzevanhu NPM, PyPI, uye RubyGems, idzo dzaionekwa senge dzakanyanya kukoshesa.
Kuvapo kwemapakeji akafanana ane mazita mamwechete muzvivakwa zvekambani zvakashayikwa pasina kuratidza yambiro kana kukonzera tsaona izvo zvinogona kukwezva kutariswa kwevatungamiriri. MuPyPI, iko kwekutanga kurodha pasi kwakakanganiswa neiyo vhezheni nhamba (zvisinei neyekuchengetera, vhezheni ichangoburwa yepakeji yakatorwa). MuNPM uye RubyGems, iko kwekutanga kwaingove kwekuchengetedza chete.
Muongorori akaisa mapakeji muNPM, PyPI uye RubyGems zvinyorwa zvinoyambuka mazita eakawanikwa mukati kutsamira, achiwedzera kodhi kune iyo script inomhanya isati yaiswa (pre-yakaiswa muNPM) kuunganidza ruzivo nezve system uye kutumira ruzivo rwakagamuchirwa wekunze anotambira.
Kuendesa ruzivo nezvekubudirira kweiyo kubira, pfuura firewalls inovhara traffic yekunze, nzira yekuronga yakavanzika chiteshi kutaurirana pamusoro peiyo DNS protocol. Iyo kodhi yaive ichimhanya yakagadzirisa iyo inomiririra munzvimbo inorwisa iri pasi pekutonga kwenzvimbo yekurwisa, izvo zvakaita kuti zvikwanise kuunganidza ruzivo nezve zvinobudirira mashandiro pane server yeDNS. Ruzivo nezve muenzi, zita rekushandisa uye nzira yazvino yakapfuudzwa.
75% yeese akanyorwa makodhi akaurayiwa aibatanidzwa neNPM kurodha pasi kwepasuru, kunyanya nekuda kwekuti paive nemazita emukati meJavaScript mazita kupfuura mazita ePython neRuby.
mabviro: https://medium.com/