Vakaona kusagadzikana muRubyGems.org iyo yakabvumira kutsiva mapakeji

Munguva pfupi yapfuura nhau dzakabvarura izvo Kusagadzikana kwakanyanya kwakaonekwa mukati iyo package repository rubygems.org (kusagadzikana kwakatonyorwa pasi peCVE-2022-29176), iyo inobvumira pasina mvumo chaiyo, tsiva mapakeji evamwe vanhu mune repository nekudzvanya pasuru yepamutemo uye kurodha rimwe faira rine zita rimwechete uye nhamba yeshanduro panzvimbo yayo.

Izvo zvinotaurwa kuti kusazvibata kunokonzerwa nebug mu "yank" action handler, iyo inobata chikamu chezita mushure me hyphen sezita repuratifomu, izvo zvakaita kuti zvikwanise kutangisa kubviswa kwepakeji dzekunze dzinoenderana nechikamu chezita kusvika kune hyphen character.

Kunyanya mu controller code yekushanda "Yank", kufona 'find_by!(full_name: "#{rubygem.name}-#{slug}")' yakashandiswa kutsvaga mapakeji, nepo "slug" parameter yakapfuudzwa kumuridzi wepasuru kuti aone vhezheni yekubvisa.

Muridzi we "rails-html" pasuru angadai akataura "sanitizer-1.2.3" pachinzvimbo che "1.2.3" vhezheni, izvo zvaizoita kuti oparesheni ishande ku "rails-html-sanitizer-1.2.3" package ″ kubva kune mumwe munhu. »

Zano rekuchengetedza reRubygems.org rakaburitswa nezuro.

Yambiro ine chekuita nebug yaibvumira mushandisi ane hutsinye kuchera mamwe matombo uye kurodha mafaera akasiyana ane zita rimwechete, nhamba yeshanduro, uye puratifomu yakasiyana.

Ngatitarisei zvakadzama kuti tione kuti chii chakakanganisika tichienda nenzira yekubvisa. Sekunyepedzera, ngatifungei mamiriro atinogadzira gem inonzi "rails-html" nechinangwa chekuwana mukana usingatenderwe kune rinoshandiswa zvakanyanya "rails-html-sanitizer" gem.

Izvo zvinotaurwa kuti zvinhu zvitatu zvinofanira kuzadzikiswa, kuti ubudirire kushandisa kusagadzikana uku:

  • Kurwiswa kwacho kunogona kuitwa chete pamapakiti ane hyphen hunhu muzita ravo.
  • Anorwisa anofanira kukwanisa kuisa gem pack ine chikamu chezita kusvika kune hyphen character. Semuenzaniso, kana kurwiswa kuri kupokana ne "rails-html-sanitizer" package, anorwisa anofanira kuisa yavo "rails-html" pasuru mune repository.
  • Iyo pasuru yakarwiswa inofanirwa kunge yakagadzirwa mumazuva makumi matatu apfuura kana kusavandudzwa kwemazuva zana.

Dambudziko yakaonekwa nemuongorori wezvekuchengetedza sechikamu cheHackerOne bounty chirongwa chekutsvaga nyaya dzekuchengetedza mumapurojekiti anozivikanwa akavhurika sosi.

Dambudziko yakatarwa paRubyGems.org muna Chivabvu 5 uye maererano nevagadziri, havasati vaona zvisaririra zvekushandiswa yekusagadzikana mumatanda kwemwedzi gumi nemisere yapfuura. Panguva imwecheteyo, kuongororwa kwepamusoro chete kwave kuchiitwa kusvika pari zvino uye kuongororwa kwakadzama kwakarongwa mune ramangwana.

Parizvino, isu tinotenda kuti kusagadzikana uku hakuna kushandiswa.

RubyGems.org inotumira email kune vese varidzi vematombo kana gem vhezheni yaburitswa kana kubviswa. Hatina kuwana maemail erutsigiro kubva kune varidzi vematombo vachiti dombo ravo rakacherwa pasina mvumo.

Ongororo yekuchinja kwegem mumwedzi gumi nesere yapfuura yakawana pasina mienzaniso yekushandiswa kwakashata kwekusagadzikana uku. Kuenderera mberi kwekuongorora kwechero kushandiswa kwechiitiko ichi hakuna kuwana muenzaniso wekushandiswa uku kuri kushandiswa kutora dombo pasina mvumo munhoroondo yeRubyGems. Hatigone kuvimbisa kuti hazvina kumboitika, asi zvinoita sezvisingaite.

Kuti uone mapurojekiti ako, zvinokurudzirwa kuongorora nhoroondo yekushanda muGemfile.lock faira Basa rakashata rinoratidzwa paine shanduko ine zita rimwechete neshanduro, kana shanduko yechikuva (semuenzaniso, kana pasuru xxx-1.2.3) 1.2.3 yakagadziridzwa kuita xxx-XNUMX-xxx).

Semhinduro kupesana ne spoofing yemapakeji akavanzika mukuenderera mberi kwekubatanidza masisitimu kana pakushambadzira mapurojekiti, Vagadziri vanokurudzirwa kushandisa Bundler nesarudzo "-frozen" kana "-deployment" kusimbisa kutsamira.

Pakupedzisira, kana iwe uchifarira kuziva zvakawanda nezvazvo, unogona kutarisa ruzivo mu inotevera chinongedzo.


Iva wekutanga kutaura

Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa. Raida minda anozivikanwa ne *

*

*

  1. Inotarisira iyo data: Miguel Ángel Gatón
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako