Bathole ubungozi ku-RubyGems.org obuvumela ukushintshwa kwamaphakheji

Muva nje izindaba zikuqedile lokho Ukuba sengozini okubalulekile kukhonjwe kokuthi inqolobane yephakheji rubygems.org (ukuba sengozini sekuvele kukhathalogi ngaphansi kwe-CVE-2022-29176), vumela ngaphandle kwemvume efanele, shintsha amaphakheji abanye abantu endaweni yokugcina ngokudonsa iphakheji esemthethweni futhi ulayishe elinye ifayela elinegama elifanayo nenombolo yenguqulo endaweni yalo.

Kushiwo lokho ukuba sengozini kungenxa yesiphazamisi kusibambi sesenzo "se-yank"., ephatha ingxenye yegama ngemuva kwekhonco njengegama lenkundla, okwenze kwaba nokwenzeka ukuqalisa ukukhishwa kwamaphakheji angaphandle afana nengxenye yegama kuya kuhlamvu lwekhonco.

Ikakhulu kukhodi yesilawuli sokusebenza "Yank", ucingo 'find_by!(igama_eligcwele: "#{rubygem.name}-#{slug}")' isetshenziselwe ukusesha amaphakheji, kuyilapho ipharamitha ye-"slug" idluliselwe kumnikazi wephakheji ukuze kunqunywe inguqulo ezosuswa.

Umnikazi wephakheji ye-"rails-html" wayengabalula okuthi "sanitizer-1.2.3" esikhundleni senguqulo ye-"1.2.3", engabangela ukuthi umsebenzi usebenze ku-"rails-html-sanitizer-1.2.3" iphakethe ″ elivela komunye umuntu. »

Iseluleko sezokuphepha se-Rubygems.org sishicilelwe izolo.

Iseluleko siphathelene nesiphazamisi esivumele umsebenzisi ononya ukuthi amba amagugu athile futhi alayishe amafayela ahlukene anegama elifanayo, inombolo yenguqulo, nenkundla ehlukile.

Ake sibheke kakhudlwana ukuze sibone ukuthi yini engahambanga kahle ngenkathi siqhubeka nenqubo yokukhipha. Njengezaba, ake sicabange ngesimo lapho sakha khona itshe eliyigugu elibizwa ngokuthi "rails-html" ngenhloso yokuthola ukufinyelela okungagunyaziwe kugugu elisetshenziswa kakhulu elithi "rails-html-sanitizer".

Kushiwo lokho kufanele kuhlangatshezwane nemibandela emithathu, ukuze usebenzise ngempumelelo lobu bungozi:

  • Ukuhlasela kungenziwa kuphela kumaphakethe anohlamvu lwe-hyphen egameni lawo.
  • Umhlaseli kufanele akwazi ukubeka iphekhi yegugu enengxenye yegama kuze kufike kuhlamvu lwekhonco. Isibonelo, uma ukuhlasela kuphambene nephakheji ye-"rails-html-sanitizer", umhlaseli kufanele abeke iphakheji yakhe ye-"rails-html" endaweni yokugcina.
  • Iphakheji ehlaselwe kufanele ukuthi idalwe ezinsukwini ezingu-30 ezidlule noma ayizange ibuyekezwe izinsuku ezingu-100.

Inkinga ikhonjwe umcwaningi wezokuphepha njengengxenye yohlelo lwe-bounty ye-HackerOne ukuthola izinkinga zokuphepha kumaphrojekthi aziwayo womthombo ovulekile.

Inkinga ilungiswe kwa-RubyGems.org ngoMeyi 5 futhi ngokusho konjiniyela, abakayiboni iminonjana yokuxhashazwa yokuba sengozini kulogi ezinyangeni eziyi-18 ezedlule. Ngaso leso sikhathi, ukucwaninga kwamabhuku okukha phezulu kuphela osekwenziwe kuze kube manje, futhi ukucwaninga okujulile kuhlelwa esikhathini esizayo.

Okwamanje, sikholelwa ukuthi lobu buthakathaka abukasetshenziswa.

I-RubyGems.org ithumela i-imeyili kubo bonke abanikazi bamatshe ayigugu lapho inguqulo yegugu ikhishwa noma ikhishwa. Asikatholi noma yimaphi ama-imeyili osekelo avela kubanikazi bamatshe ayigugu abonisa ukuthi igugu labo lembiwa ngaphandle kokugunyazwa.

Ukuhlolwa kwezinguquko zegem ezinyangeni eziyi-18 ezedlule azitholanga izibonelo zokusetshenziswa okunonya kwalokhu kuba sengozini. Ukuhlolwa okwengeziwe kwanoma yikuphi ukusetshenziswa okungenzeka kwalokhu kuxhaphaza akutholanga sibonelo salokhu kuxhaphaza kusetshenziselwa ukuthatha itshe eliyigugu ngaphandle kokugunyazwa emlandweni we-RubyGems. Ngeke siqinisekise ukuthi akukaze kwenzeke, kodwa akubonakali kungenzeka.

Ukuze uqinisekise amaphrojekthi akho, kutuswa ukuba uhlaziye umlando wokusebenza kufayela le-Gemfile.lock Umsebenzi onobungozi uvezwa kukhona izinguquko ezinegama nenguqulo efanayo, noma uguquko lweplathifomu (ngokwesibonelo, uma iphakeji xxx-1.2.3 . 1.2.3 ibuyekezelwe ku-xxx-XNUMX-xxx).

Njengesixazululo ngokumelene nokukhwabanisa kwamaphakheji afihliwe ezinhlelweni zokuhlanganisa eziqhubekayo noma lapho kushicilela amaphrojekthi, Onjiniyela bayanconywa ukuthi basebenzise i-Bundler ngezinketho "-frozen" noma "-deployment" ukuqinisekisa ukuncika.

Ekugcineni, uma unentshisekelo yokwazi kabanzi ngakho, ungabheka imininingwane kufayela le- isixhumanisi esilandelayo.


Yiba ngowokuqala ukuphawula

Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.