Baye bafumanisa ukuba sesichengeni kwi-RubyGems.org evumela ukubuyisela iiphakheji

Kutshanje iindaba ziye zaqhekeka Ubuthathaka obubalulekileyo bachongiwe indawo yokugcina iphakheji rubygems.org (ubuthathaka sele bufakwe kwikhathalogu phantsi kwe-CVE-2022-29176), ethi vumela ngaphandle kogunyaziso olufanelekileyo, buyisela iipakethe zabanye abantu kwindawo yokugcina ngokutsala iphakheji esemthethweni kwaye ulayishe enye ifayile enegama elifanayo kunye nenombolo yoguqulelo endaweni yayo.

Kuyakhankanywa ukuba Ukuba sesichengeni kungenxa yegciwane kwi "yank" isibambi sentshukumo, ephethe inxalenye yegama emva kwe-hyphen njengegama leqonga, elenza ukuba kuqaliswe ukukhutshwa kweepakethe zangaphandle ezihambelana nenxalenye yegama ukuya kumlingiswa we-hyphen.

Ngokukodwa kwikhowudi yokulawula yokusebenza "Yank", umnxeba 'fumana_nge!(igama_eligcweleyo: "#{rubygem.name}-#{slug}")' yayisetyenziselwa ukukhangela imipakethe, ngelixa "slug" iparameter yagqithiselwa kumnini wephakheji ukumisela uguqulelo oluza kulususa.

Umnini wepakethe ye-"rails-html" ebenokuchaza "sanitizer-1.2.3" endaweni yoguqulelo luka-"1.2.3", olunokubangela ukuba umsebenzi usebenze kwi-"rails-html-sanitizer-1.2.3" iphakheji ″ evela komnye umntu. »

Ingcebiso yokhuseleko ye-Rubygems.org ipapashwe izolo.

Ingcebiso iphathelene ne-bug evumele umsebenzisi okhohlakeleyo ukuba embe amatye anqabileyo athile kwaye alayishe iifayile ezahlukeneyo ezinegama elifanayo, inombolo yenguqulo, kunye neqonga elahlukileyo.

Makhe sijonge nzulu ukubona ukuba yintoni engalunganga ngelixa sihamba kwinkqubo yokutsalwa. Njengesizathu, makhe sibe nomfanekiso-ngqondweni wemeko apho sidala ilitye elinqabileyo elibizwa ngokuba yi-"rails-html" ngenjongo yokufumana ufikelelo olungagunyaziswanga kwigem esetyenziswa kakhulu "i-rails-html-sanitizer".

Kuyakhankanywa ukuba imiqathango emithathu kufuneka ifezekiswe, ukuze usebenzise ngempumelelo obu buthathaka:

  • Uhlaselo lunokwenziwa kuphela kwiipakethi ezinophawu lwe-hyphen egameni labo.
  • Umhlaseli kufuneka akwazi ukubeka ipakethe yegem enenxalenye yegama ukuya kumlinganiswa weqhagamshela. Umzekelo, ukuba uhlaselo luchasene nephakheji ye-"rails-html-sanitizer", umhlaseli kufuneka abeke eyakhe "i-rails-html" ipakethe kwindawo yokugcina.
  • Iphakheji ehlaselweyo kufuneka yenziwe kwiintsuku ze-30 zokugqibela okanye ingahlaziywa kwiintsuku ze-100.

Ingxaki ichongiwe ngumphandi wokhuseleko njengenxalenye yenkqubo ye-bounty ye-HackerOne ukufumana imiba yokhuseleko kwiiprojekthi zomthombo ovulekileyo owaziwayo.

Ingxaki elungisiwe RubyGems.org ngoMeyi 5 kwaye ngokutsho abaphuhlisi, abakachongi imikhondo yokuxhaphaza ukuba sesichengeni kwiilog kwiinyanga ezili-18 ezidlulileyo. Kwangaxeshanye, luphicotho-zincwadi oluphezulu kuphela oluye lwenziwa ukuza kuthi ga ngoku, kwaye uphicotho-zincwadi olunzulu lucetywa kwixesha elizayo.

Okwangoku, sikholelwa ukuba obu buthathaka abukasetyenziswanga.

I-RubyGems.org ithumela i-imeyile kubo bonke abanini begugu xa uguqulelo lwe-gem lukhutshiwe okanye lususiwe. Asifumananga naziphi na ii-imeyile zenkxaso ezivela kubanini gem ebonisa ukuba gem yabo iye yombiwa ngaphandle kwesigunyaziso.

Uphicotho lotshintsho lwegem kwiinyanga ezili-18 ezidlulileyo alufumananga mizekelo yokusetyenziswa ngolunya kobu buthathaka. Uphicotho olongezelelekileyo kulo naluphi na usetyenziso olunokwenzeka kolu xhatshazo alufumananga mzekelo woku kuxhaphaza kusetyenziswe ukuthatha ilitye elinqabileyo ngaphandle kogunyaziso kwimbali yeRubyGems. Asinakuqinisekisa ukuba ayizange yenzeke, kodwa ayibonakali inokwenzeka.

Ukuqinisekisa iiprojekthi zakho, kuyacetyiswa ukuba uhlalutye imbali yokusebenza kwifayile yeGemfile.lock Umsebenzi okhohlakeleyo ubonakaliswa phambi kotshintsho olunegama elifanayo kunye noguqulelo, okanye utshintsho lweqonga (umzekelo, xa ipakethe xxx-1.2.3 1.2.3 ihlaziywa ukuya ku-xxx-XNUMX-xxx).

Njengesisombululo ngokuchasene nokuphangwa kweepakethe ezifihliweyo kwiinkqubo zokudibanisa eziqhubekayo okanye xa upapasha iiprojekthi, Abaphuhlisi bayacetyiswa ukuba basebenzise i-Bundler ngokhetho "-efriziwe" okanye "-deployment" ukuqinisekisa abaxhomekeke.

Ekugqibeleni, ukuba unomdla wokwazi okungakumbi ngayo, ungazijonga iinkcukacha kwi ukulandela ikhonkco.


Umxholo wenqaku uyabambelela kwimigaqo yethu imigaqo yokuziphatha yokuhlela. Ukuxela impazamo cofa apha.

Yiba ngowokuqala ukuphawula

Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa.

*

*

  1. Uxanduva lwedatha: UMiguel Ángel Gatón
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.