UPysa, i-static analyzer yePython enikezwe yi-Facebook

I-Facebook yethule isihlaziyi somthombo ovulekile esibizwa nge- «Pysa»(I-Python Static Analyzer) eyi- yakhelwe ukukhomba ubungozi obungaba khona kukhodi yePython.

Pysa inikeza ukuhlaziywa kokuhamba kwedatha ngenxa yokusebenzisa ikhodi, okuyi ikuvumela ukuthi ubone ubungozi kanye nezinkinga eziningi ezingaba khona yemfihlo ehlobene nokusetshenziswa kwedatha ezindaweni lapho kungafanele ivele khona.

Isibonelo, uPysa ingalandelela ukusetshenziswa kwedatha yangaphandle eluhlaza kumakholi eqhuba izinhlelo zangaphandle, ekusebenzeni kwamafayela nakwakhiwa kwe-SQL.

Namuhla, sabelana ngemininingwane mayelana nePysa, ithuluzi lomthombo ovulekile lokuhlaziya ulwazi esilakhele ukuthola nokuvikela izindaba zokuphepha nobumfihlo kukhodi yePython. Ngonyaka odlule, sabelana ngokuthi sayidala kanjani iZoncolan, ithuluzi lokuhlaziya elingaguquguquki elisisiza ukuba sihlaziye imigqa engaphezu kwezigidi eziyi-100 zekhodi yokugenca futhi lisize onjiniyela ukuthi bavimbele izinkulungwane zezinkinga ezingaba khona zokuphepha. Leyo mpumelelo yasikhuthaza ukuthi sithuthukise iPysa, okuyisichazamazwi sePython Static Analyzer.

UPysa usebenzisa ubuchule obufanayo ukwenza ukuhlaziywa kwe-static futhi wabelane ngekhodi ne UZoncolan. NjengoZoncolan, uPysa ilandelela ukugeleza kwedatha ngohlelo.

Umsebenzisi uchaza imithombo (izindawo lapho kuvela khona idatha ebalulekile) kanye nosinki (izindawo lapho imininingwane yomthombo kungafanele iphele khona).

Ngezinhlelo zokusebenza zokuphepha, izinhlobo ezivame kakhulu zemithombo yizindawo lapho idatha elawulwa ngumsebenzisi ingena khona kuhlelo lokusebenza, njengesichazamazwi se-Django.

Abamukeli bavame ukwehluka kakhulu, kepha bangafaka ama-API asebenzisa ikhodi, njenge eval, noma ama-API afinyelela isistimu yamafayela, njengeos.open

UPysa wenza imizuliswano yokuhlaziya ukwakha iziqeshana ukunquma ukuthi imiphi imisebenzi ebuyisa idatha evela kumthombo nokuthi yimiphi imisebenzi enamapharamitha agcina eshaye usinki. Uma iPysa ithola ukuthi umthombo ugcine uxhuma kusinki, ubika inkinga. 

Umsebenzi we-Analyzer ibila ukukhomba imithombo yedatha engenayo namakholi ayingozi, lapho idatha yoqobo kufanele ingasetshenziswa khona.

UPysa uqaphe ukudluliswa kwedatha ngochungechunge lwezingcingo zomsebenzi futhi ahlobanise idatha yangempela nezindawo ezingaba yingozi kukhodi.

Ngoba sisebenzisa izinhlaka ezivulekile ze-Python server ezifana ne-Django ne-Tornado kwimikhiqizo yethu, iPysa ingaqala ukubhekana nezinkinga zokuphepha kumaphrojekthi asebenzisa lezi zinhlaka kusukela ekuqaleni kokuqala. Ukusebenzisa i-Pysa ngezinhlaka esingenayo imininingwane yazo okwamanje kulula njengokungeza imigqa embalwa yokumisa ukutshela iPysa lapho idatha ingena kuseva.

Ukuba sengozini okuvamile okukhonjwe yiPysa kuyinkinga evulekile eqondisa kabusha (i-CVE-2019-19775) epulatifomu yemiyalezo yeZulip, ebangelwa ukudlula kwemingcele yangaphandle engcolile lapho kukhonjiswa izithonjana.

Amandla wokulandelela ukugeleza kwedatha kaPysa angasetshenziselwa ukuqinisekisa ukusetshenziswa kozimele abengeziwe nokunquma ukuhambisana nezinqubomgomo zokusetshenziswa kwedatha yomsebenzisi.

Isibonelo, IPysa ngaphandle kokucushwa okungeziwe kungasetshenziswa ukuqinisekisa amaphrojekthi kusetshenziswa izinhlaka UDjango noTornado. IPysa nayo ingakhomba ukuba sengozini okuvamile kuzinhlelo zokusebenza zewebhu, njengokufakwa kwe-SQL kanye ne-cross-site scripting (XSS).

Ku-Facebook, i-analyzer isetshenziselwa ukuqinisekisa ikhodi yesevisi ye-Instagram. Ngesikhathi sekota yokuqala ka-2020, uPysa usize ukukhomba u-44% wazo zonke izinkinga ezitholwe onjiniyela be-Facebook kusizinda sekhodi eseceleni se-Instagram.

Kutholakale izinkinga ezingama-330 kule nqubo yokuqinisekisa ushintsho oluzenzakalelayo kusetshenziswa iPysa, engama-49 (15%) ayo ahlolwe njengabalulekile kanti ayi-131 (40%) ayengeyona ingozi. Ezimweni eziyi-150 (i-45%) izinkinga zibangelwe imiphumela emihle.

Isicacisi esisha senzelwe njengesengezo kukhithi yamathuluzi wokuqinisekisa wohlobo lwePyre futhi sibekwe endaweni yakho yokugcina izinto. Ikhodi ikhishwa ngaphansi kwelayisense ye-MIT.

Okokugcina uma ufuna ukwazi kabanzi ngayo, ungabheka imininingwane kokuthunyelwe kwangempela. Isixhumanisi yilokhu.


Okuqukethwe yi-athikili kunamathela ezimisweni zethu ze izimiso zokuhlelela. Ukubika iphutha chofoza lapha.

Yiba ngowokuqala ukuphawula

Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.