'Yan kwanaki da suka gabata Masu binciken Jami'ar Cambridge sun fito littafin dabara don maye gurbin lambobi da dabara code qeta a cikin lambar tushen aikace-aikace.
Hanyar kai hari ta shirya hakan An riga an jera shi a ƙarƙashin CVE-2021-42574 Ya zo a ƙarƙashin sunan Tushen Tushen kuma ya dogara ne akan samuwar rubutu wanda yayi kama da mai tarawa / mai fassara da wanda ke kallon lambar.
Game da Trojan Source
Hanyar ya dogara da amfani da haruffan Unicode na musamman a cikin sharhin lamba, wanda ke canza tsarin nuni na rubutun bidirectional. Tare da taimakon waɗannan halayen sarrafawa, Ana iya nuna wasu sassan rubutun daga hagu zuwa dama, wasu kuma daga dama zuwa hagu.
A cikin aikin yau da kullun, ana iya amfani da waɗannan haruffa masu sarrafawa, alal misali, don saka igiyoyin Ibrananci ko Larabci cikin fayil ɗin lamba. Koyaya, idan kuna amfani da waɗannan haruffan don haɗa layi tare da kwatancen rubutu daban-daban akan layi ɗaya, sassan rubutu da aka nuna daga dama zuwa hagu na iya mamaye rubutu na yau da kullun da ke nunawa daga hagu zuwa dama.
Tare da wannan hanyar, Za a iya ƙara ginin ɓarna zuwa lambar, amma sai a sanya rubutun da wannan ginin ya zama marar ganuwa yayin kallon lambar, ƙara haruffan da aka nuna daga dama zuwa hagu a sharhi na gaba ko a cikin zahiri, wanda zai haifar da sakamako na gaba ɗaya daban-daban haruffa da aka sama a kan malicious saka. Irin wannan lambar za ta kasance daidai a cikin ma'ana, amma za a fassara ta kuma a nuna ta daban.
Mun gano hanyoyin da za a sarrafa faifan code na fayilolin tushen ta yadda masu kallo da masu tara mutane su ga dabaru daban-daban. Hanya ɗaya mai muni ta musamman tana amfani da jagorar Unicode ƙetare haruffa don nuna lambar azaman kwatancen dabaru na gaskiya. Mun tabbatar da cewa wannan harin yana aiki da C, C ++, C #, JavaScript, Java, Rust, Go, da Python, kuma muna zargin cewa zai yi aiki da yawancin harsunan zamani.
A lokacin da ake nazarin code, mai haɓakawa zai fuskanci tsari na gani na haruffa kuma zai ga sharhi mai ban tsoro a cikin edita rubutu, gidan yanar gizo ko IDE, amma mai tarawa da mai fassara za su yi amfani da tsari na ma'ana na haruffa kuma su kula da lambar qeta kamar yadda, ba tare da la'akari da rubutun bidirectional a cikin sharhi ba. Shahararrun editocin lambar (VS Code, Emacs, Atom), da kuma musaya don duba lamba a cikin ma'ajiyar (GitHub, Gitlab, BitBucket, da duk samfuran Atlassian) sun shafa.
Akwai hanyoyi da yawa don amfani da hanyar don aiwatar da munanan ayyuka: ƙara kalmar "dawo" da ke ɓoye, wanda ke haifar da ƙarshen aiwatar da aikin ba da wuri ba; Ƙarshe a cikin sharhin maganganun da aka saba la'akari da ingantattun gine-gine (misali, don musaki mahimman cak); Sanya wasu kimar kirtani da ke haifar da gazawar ingancin kirtani.
Har ila yau, An gabatar da wani zaɓi na harin (CVE-2021-42694), wanda ya haɗa da amfani da homoglyphs, alamomin da suka bayyana kama da bayyanar, amma sun bambanta cikin ma'ana kuma suna da lambobin Unicode daban-daban. Ana iya amfani da waɗannan haruffa a cikin wasu harsuna a cikin aiki da sunaye masu canzawa don yaudarar masu haɓakawa. Misali, zaku iya ayyana ayyuka guda biyu tare da sunaye marasa banbance waɗanda ke yin ayyuka daban-daban. Idan ba tare da cikakken bincike ba, ba za ku iya gane nan da nan wanne daga cikin waɗannan ayyuka biyu ake kira a wani wuri na musamman ba.
A matsayin ma'aunin kariya, ana ba da shawarar aiwatarwa a cikin masu tarawa, masu fassara da kayan aikin taro waɗanda ke goyan bayan haruffan Unicode, suna nuna kuskure ko faɗakarwa ko akwai haruffan sarrafawa marasa guda ɗaya a cikin sharhi, ainihin kirtani, ko masu ganowa waɗanda ke canza alkiblar fitarwa. Hakanan dole ne a haramta waɗannan haruffan a sarari a cikin ƙayyadaddun yaren shirye-shirye kuma dole ne a yi la'akari da su cikin masu gyara lamba da musaya don aiki tare da ma'aji.
Bayan haka An riga an fara gyara lahani An shirya don GCC, LLVM / Clang, Tsatsa, Go, Python da binutils. GitHub, Bitbucket da Jira kuma sun riga sun shirya mafita tare da GitLab.
Finalmente Idan kuna da sha'awar sanin game da shi, zaka iya tuntuba cikakkun bayanai a cikin mahaɗin mai zuwa.