Onjiniyela abaphethe iphrojekthi kusuka kumphathi wephakheji we-NPM, kukhishwe esanda kukhishwa isibuyekezo sokulungisa ku-NPM 6.13.4 ifakiwe ekulethweni kweNode.js futhi isetshenziselwe ukusabalalisa amamojula weJavaScript.
Le nguqulo entsha yokulungisa imenenja yayi yethulwe ukuze kuxazululwe ukukhubazeka okuthathu evumela ukuthi amafayela ohlelo angenasizathu aguqulwe noma abhalwe phansi lapho ufaka iphakheji elilungiselelwe ngumhlaseli.
I-CVE-2019-16775
Lokhu kuba sengozini kuthinta izinhlobo ze-NPM CLI ngaphambi kuka-6.13.3, uyaphila basengozini yokubhalwa kwamafayela ngokungafanele. Amaphakheji angakha izixhumanisi ezingokomfanekiso kumafayela angaphandle kwefolda ama-node_modules enkambu yomgqomo ngemuva kokufakwa.
Ukufakwa okwakhiwe kahle emkhakheni we-bin package.json kuzovumela umhleli wephakeji ukuthi enze isixhumanisi esingokomfanekiso esikhomba kumafayili wokuphikisana kusistimu yomsebenzisi lapho iphakheji ifakiwe. Lokhu kuziphatha kusenokwenzeka ngemibhalo yokufaka.
I-CVE-2019-16776
Kulesi sengozini i Izinhlobo ze-NPM CLI ngaphambi kuka-6.13.3 zithinteka ngokubhalwa kwefayela ngokungafanele. Njengoba ungeke uvikele ukufinyelela kwamafolda angaphandle kwefolda ye-node_modules ehlosiwe ngensimbi yomgqomo.
Ukufakwa okwakhiwe kahle kunkambu ye-bin package.json kuzovumela umhleli wephakeji ukuthi aguqule futhi afinyelele kumafayili angenakuphikiswa ohlelweni lomsebenzisi lapho iphakheji ifakiwe. Lokhu kuziphatha kusenokwenzeka ngemibhalo yokufaka.
Izindlela ezine "/../" zazivunyelwe enkanjini yomgqomo
I-CVE-2019-16777
Ekugcineni, Izinhlobo ze-NPM CLI ngaphambi kuka-6.13.4 zisengozini kulokhu kuba sengozini kufayela elibhalwe ngokungenacala. Njengoba ungeke uvikele amanye ama-binaries ekubhaleni ngaphezulu ama-binaries akhona afakwe emhlabeni jikelele.
Isibonelo, uma iphakheji yafakwa emhlabeni jikelele futhi yakha insizakalo kanambambili, noma yikuphi ukufakwa okulandelayo amaphakheji futhi akha kanambambili wesevisi izobhala ngaphezulu i-binary service endala. Lokhu kuziphatha kuvunyelwe ekufakweni kwasendaweni futhi nangemibhalo yokufaka.
Ungafaka kuphela amafayela kumkhombandlela wendawo lapho kufakwa khona amafayela asebenzayo (imvamisa / usr, / wendawo, / bin).
Yize into ebalulekile kulokhu kuba sengozini ukuthi umuntu ofuna ukusebenzisa la maphutha kuzofanele ukuthi isisulu sakhe sifake iphakethe ngokufakwa komgqomo oklanywe ngokukhethekile. Kodwa-ke, njengoba sibonile esikhathini esedlule, lokhu akusona isithiyo esingenakunqotshwa.
Ithimba lezokuphepha ngo-npm, Inc. beliskena irejista ngezibonelo zalokhu kuhlaselwa, futhi alitholanga noma yimaphi amaphakheji ashicilelwe kwirejista ngalokhu kuxhaphaza. Lokho akuqinisekisi ukuthi ayikaze isetshenziswe, kepha kusho ukuthi ayisetshenziswa njengamanje kumaphakeji ashicilelwe kwirejista.
Sizoqhubeka nokuqapha nokuthatha izinyathelo zokunqanda abalingisi ababi ukuthi basebenzise lobu bungozi esikhathini esizayo. Kodwa-ke, asikwazi ukuskena yonke imithombo ekhona yamaphakeji ka-npm (ukubhaliswa okuyimfihlo, izibuko, izinqolobane ze-git, njll.), Ngakho-ke kubalulekile ukuvuselela ngokushesha okukhulu.
Ukuxazulula inkinga
Njengesixazululo esikhulu, kunconywa ukuthi ubuyekezele enguqulweni entsha yokulungisa njengoba imitapo yolwazi ye-package.json isetshenziswa ku-NPM v6.13.3 ibuyekezwe ngendlela ezokuhlanza futhi iqinisekise konke okufakiwe emkhakheni we-bin ukususa phambili isika iziqalo, okufakiwe komzila, nezinye izindlela zokuphunyuka komzila, isebenzisa insiza yomzila ehlolwe kahle nethembeke kakhulu eyakhelwe kuNode.js.
Noma, njengendawo yokusebenza, ingafakwa nenketho –Ziba-imibhalo, evimbela ukuqhuba amaphakheji wokushayela akhelwe ngaphakathi.
Ngaphandle kokuqhubeka kokunye, uma ufuna ukwazi kabanzi ngeziphazamisi, ungabheka imininingwane kokuthunyelwe kwebhulogi lika-npm Kulesi sixhumanisi esilandelayo.
Ekugcineni, kulabo abafuna ukufaka inguqulo entsha, bangakwenza lokho eziteshini ezisemthethweni noma ngokukhetha ukuhlanganisa kusuka kukhodi yomthombo wayo. Ngalokhu ungalandela imiyalo ku- isixhumanisi esilandelayo.