8æ7æ¥ãFacebookã¯Pysaãçºè¡šããŸãããããã¯ãäœçŸäžãã®Instagramæååãæäœããã®ã«åœ¹ç«ã€ãªãŒãã³ãœãŒã¹ã®ã»ãã¥ãªãã£ã«çŠç¹ãåœãŠãéçã¢ãã©ã€ã¶ãŒã§ããå¶éãé瀺ãããèšèšäžã®æ±ºå®ã«è§ŠãããããŠãã¡ããã誀æ€ç¥ãåé¿ããããã®æ段ã瀺ãããŸãã Pysaãæã圹ç«ã€ç¶æ³ãšãã¢ãã©ã€ã¶ãŒãé©çšã§ããªãã³ãŒãã瀺ãããŠããŸããã«ããã®äžã®Facebookãšã³ãžãã¢ãªã³ã°ããã°ããã®è©³çŽ°ã
æšå¹Žã1åè¡ãè¶ ããããã¯ã³ãŒããåæãããšã³ãžãã¢ãæ°åã®æœåšçãªã»ãã¥ãªãã£åé¡ãé²ãã®ã«åœ¹ç«ã€éçåæããŒã«ã§ããZoncolanãã©ã®ããã«æ§ç¯ãããã«ã€ããŠæžããŸãããæåã¯ãPysa - PythonStaticAnalyzerã®äœæ¥ã«åœ±é¿ãäžããŸãããããŒãµãŒã¯ãFacebookã®Pythonã¿ã€ããã§ãã¯ããŒã«ã§ããPyreã®äžã«æ§ç¯ãããŠããŸãã Pysaã¯ãã³ãŒãå ã®ããŒã¿ãããŒãåŠçããŸããå€ãã®å Žåãã»ãã¥ãªãã£ãšãã©ã€ãã·ãŒã®åé¡ã¯ãæ¬æ¥ããã¹ãã§ã¯ãªãå Žæã«ç§»åããããŒã¿ãšããŠã¢ãã«åããããããããŒã¿ãããŒåæã¯åœ¹ç«ã¡ãŸãã
Pysaã¯ãããŸããŸãªçš®é¡ã®åé¡ãç¹å®ããã®ã«åœ¹ç«ã¡ãŸããã¢ãã©ã€ã¶ãŒã¯ãã³ãŒããç¹å®ã®å éšæ§é ãæ£ãã䜿çšããŠãæè¡çãªãã©ã€ãã·ãŒããªã·ãŒã«åºã¥ããŠãŠãŒã¶ãŒããŒã¿ãžã®ã¢ã¯ã»ã¹ãé瀺ãé²æ¢ããŠãããã©ããã確èªããŸããããã«ãã¢ãã©ã€ã¶ãŒã¯ãXSSãSQLã€ã³ãžã§ã¯ã·ã§ã³ãªã©ã®äžè¬çãªWebã¢ããªã±ãŒã·ã§ã³ã®ã»ãã¥ãªãã£åé¡ãæ€åºããŸããZoncolanãšåæ§ã«ãæ°ããããŒã«ã¯Pythonã¢ããªã±ãŒã·ã§ã³ã®ã»ãã¥ãªãã£ãžã®åãçµã¿ãæ¡å€§ããã®ã«åœ¹ç«ã¡ãŸãããããã¯ç¹ã«Instagramã«åœãŠã¯ãŸããŸãã
Instagramã®Pysa
Facebookã§æ倧ã®Pythonãªããžããªã¯ãInstagramãµãŒããŒäžã®æ°çŸäžè¡ã§ããéçºè ãææ¡ããã³ãŒãå€æŽã§Pysaãå®è¡ãããšãæåã§ç¢ºèªããã®ã«ãããæ°é±éãŸãã¯æ°ãæã§ã¯ãªããçŽ1æéã§çµæãåŸãããŸããããã¯ãåé¡ãã³ãŒãããŒã¹ã«å ¥ããªãããã«ãåé¡ããã°ããèŠã€ããŠé²æ¢ããã®ã«åœ¹ç«ã¡ãŸãããã§ãã¯ã®çµæã¯ãåé¡ã®ã¿ã€ããšç¹å®ã®ç¶æ³ã§ã®ä¿¡å·å¯Ÿãã€ãºæ¯ã«å¿ããŠãéçºè ãŸãã¯å®å šãšã³ãžãã¢ã«çŽæ¥éä¿¡ãããŸãã
PysaãšãªãŒãã³ãœãŒã¹
PysaãœãŒã¹ã³ãŒããšå€ãã®åé¡å®çŸ©ã¯ãä»ã®éçºè ãããââãžã§ã¯ãã®ã³ãŒããåæããããã«å ¬éãããŠããŸããDjangoãTornadoãªã©ã®ãªãŒãã³ãœãŒã¹ã®ãµãŒããŒåŽãã¬ãŒã ã¯ãŒã¯ã䜿çšããŠãããããFacebookå ã§ã®æåã®èµ·åãããPysaã¯ãããã®ãã¬ãŒã ã¯ãŒã¯ã䜿çšãããããžã§ã¯ãã§ã»ãã¥ãªãã£ã®åé¡ãçºèŠããŸãããŸã ã«ãã¬ããžããªããã¬ãŒã ã¯ãŒã¯ã«Pysaã䜿çšããããšã¯ãéåžžãæ°è¡ã®æ§æãè¿œå ããã®ãšåããããç°¡åã§ããããŒã¿ãã©ããããµãŒããŒã«éãããããã¢ãã©ã€ã¶ãŒã«äŒããå¿ èŠããããŸãã
Pysaã¯ããªãŒãã³ãœãŒã¹ã®Pythonãããžã§ã¯ãã§CVE-2019-19775ãªã©ã®åé¡ãæ€åºããããã«äœ¿çšãããŠããŸããZulipãããžã§ã¯ããšãååããŸãã Pysaãã³ãŒãããŒã¹ã«å«ããŸããã
䜿ãæ¹ïŒ
Pysaã¯ãZoncolanããåŠãã æèšãåºã«èšèšãããŠããŸããåãã¢ã«ãŽãªãºã ã䜿çšããŠéçåæãå®è¡ããZoncolanãšã³ãŒããå ±æããŸãã Zoncolanãšåæ§ã«ãPysaã¯ããã°ã©ã å ã®ããŒã¿ã®æµããç£èŠããŸãããŠãŒã¶ãŒã¯ãéèŠãªããŒã¿ã®ãœãŒã¹ãšããŒã¿ã®å®å ãå®çŸ©ããŸããã»ãã¥ãªãã£ã¢ããªã±ãŒã·ã§ã³ã§ã¯ãæãäžè¬çãªçš®é¡ã®ãœãŒã¹ã¯ãDjangoã®HttpRequest.GETãã£ã¯ã·ã§ããªãªã©ããŠãŒã¶ãŒãå¶åŸ¡ããããŒã¿ãã¢ããªã±ãŒã·ã§ã³ã«å ¥åããããã€ã³ãã§ããã¬ã·ãŒããŒã¯äžè¬çã«ã¯ããã«å€æ§ã§ãããAPIã®å®è¡ãå«ããããšãã§ããŸããããšãã°ã
eval
ãŸãã¯os.open
..ã Pysaã¯ãåæãç¹°ãè¿ãå®è¡ããŠèŠçŽãäœæãããœãŒã¹ããããŒã¿ãè¿ããŠããé¢æ°ãšãå®å
ã«å°éãããã©ã¡ãŒã¿ãŒãæã€é¢æ°ãå€å¥ããŸããã¢ãã©ã€ã¶ãŒã¯ããœãŒã¹ãæçµçã«ã¬ã·ãŒããŒã«æ¥ç¶ããŠããããšãæ€åºãããšãåé¡ãå ±åããŸãããã®ããã»ã¹ã®èŠèŠåã¯ãäžéšã«åé¡ããããèã«ãœãŒã¹ãšãããŒãããããªãŒã§ãã
ã¯ãã¹ããã·ãŒãžã£è§£æãå®è¡ããã«ã¯ïŒé¢æ°åŒã³åºãéã®ããŒã¿ãããŒã远跡ããããïŒãé¢æ°åŒã³åºãããããã®å®è£ ã«ãããã³ã°ã§ããå¿ èŠããããŸãããããè¡ãã«ã¯ããªãã·ã§ã³ã®éçåãååšããå Žåã¯ãããå«ããã³ãŒãã§å©çšå¯èœãªãã¹ãŠã®æ å ±ã䜿çšããå¿ èŠããããŸããç§ãã¡ã¯PyreãšååããŠãã®æ å ±ãææ¡ããŸãããPysaã¯Pyreã«å€§ããäŸåããŠãããäž¡æ¹ã®ããŒã«ãåããªããžããªãå ±æããŠããŸããããããã¯å¥ã ã®ã¢ããªã±ãŒã·ã§ã³ãæã€å¥ã ã®è£œåã§ããããšã«æ³šæããããšãéèŠã§ãã
åœéœæ§
ã»ãã¥ãªãã£ãšã³ãžãã¢ã¯ãFacebookã§ã®Pysaã®äž»ãªãŠãŒã¶ãŒã§ããèªåãšã©ãŒæ€åºããŒã«ã䜿çšããä»ã®ãšã³ãžãã¢ãšåæ§ã«ã誀æ€ç¥ïŒåé¡ãªããä¿¡å·ãªãïŒãšé°æ§ïŒåé¡ãªããä¿¡å·ãªãïŒã®åŠçæ¹æ³ãç解ããå¿ èŠããããŸããã
Pysaã®èšèšã¯ãåé¡ãèŠèœãšããªãããã«ããã§ããã ãå€ãã®å®éã®åé¡ãæ€åºããããšãç®çãšããŠããŸãããã ãã誀èŠå ±ã®æ°ãæžããã«ã¯ãäžèŠãªä¿¡å·ã®æ°ãå¢ãããã¬ãŒããªããå¿ èŠã«ãªãå ŽåããããŸãã誀æ€ç¥ãå€ããããšãäžå®ç²åŽãçºçããå®éã®åé¡ããã€ãºã§èŠèœãšããããªã¹ã¯ããããŸãã Pysaã«ã¯ãäžèŠãªä¿¡å·ãåé€ããããã®2ã€ã®ããŒã«ããããŸãããµãã¿ã€ã¶ãŒãšãµã€ã³ã§ãã
ãµãã¿ã€ã¶ãŒã·ã³ãã«ãªããŒã«ã§ããã¹ããªãŒã ãé¢æ°ãŸãã¯å±æ§ãééããåŸãããŒã¿ã¹ããªãŒã ã远跡ããªãããã«ããŒãµãŒã«æ瀺ããŸãããµãã¿ã€ã¶ãŒã䜿çšãããšãåžžã«å®å šã§æ©å¯æ§ã®é«ãæ¹æ³ã§ããŒã¿ãæ瀺ãããã¡ã€ã³å€æã®ç¥èããšã³ã³ãŒãã§ããŸãã
å åã¯åŸ®åŠã§ãããããã¯ãPysaã远跡ãããšãã«ããŒã¿ã¹ããªãŒã ã«æ·»ä»ããã¡ã¿ããŒã¿ã®å°ããªãã£ã³ã¯ã§ããæ¶æ¯å€ãšã¯ç°ãªããæšèã¯åæçµæããåé¡ãåãé€ãããšã¯ãããŸãããå±æ§ããã³ãã®ä»ã®ã¡ã¿ããŒã¿ã䜿çšããŠãåæåŸã«çµæããã£ã«ã¿ãªã³ã°ã§ããŸãããã£ã«ã¿ã¯éåžžãç¹å®ã®éä¿¡å ãšå®å ã®ãã¢ã«å¯ŸããŠäœæãããç¹å®ã®ã¿ã€ãïŒãã¹ãŠã®ã¿ã€ãã§ã¯ãªãïŒã®å®å ã®ããŒã¿ããã§ã«åŠçãããŠããå Žåã®åé¡ãç¡èŠããŸãã
Pysaãæã圹ç«ã€ç¶æ³ãç解ããããã«ã次ã®ã³ãŒããå®è¡ããŠãŠãŒã¶ãŒãããã¡ã€ã«ãããŒããããšããŸãã
# views/user.py
async def get_profile(request: HttpRequest) -> HttpResponse:
profile = load_profile(request.GET['user_id'])
...
# controller/user.py
async def load_profile(user_id: str):
user = load_user(user_id) # Loads a user safely; no SQL injection
pictures = load_pictures(user.id)
...
# model/media.py
async def load_pictures(user_id: str):
query = f"""
SELECT *
FROM pictures
WHERE user_id = {user_id}
"""
result = run_query(query)
...
# model/shared.py
async def run_query(query: str):
connection = create_sql_connection()
result = await connection.execute(query)
...
ãã®æ©èœã¯åžžã«æå¹ååŸïŒload_picturesã®æœåšçãªSQLã€ã³ãžã§ã¯ã·ã§ã³ãæªçšãããããšã¯ãããŸããå Žæã§ã
user_id
é¢æ°ããload_user
ã§load_profile
ãæ£ããæ§æãããŠããå ŽåãPysaã¯ããããåé¡ãå ±åããŸãããããã§ãã³ã³ãããŒã©ãŒã¬ãã«ã®ã³ãŒããèšè¿°ããŠããé²åã®æ°æ§ã®ãããšã³ãžãã¢ãããŠãŒã¶ãŒããŒã¿ãšç»åãåæã«ãã§ãããããšçµæãããéãè¿ãããããšã«æ°ä»ãããšæ³åããŠã¿ãŠãã ããã
# controller/user.py
async def load_profile(user_id: str):
user, pictures = await asyncio.gather(
load_user(user_id),
load_pictures(user_id) # no longer 'user.id'!
)
...
ãã®å€æŽã¯ç¡å®³ã«èŠãããããããŸããããå®éã«ã¯ããŠãŒã¶ãŒãå¶åŸ¡ããæåå
user_id
ãã®SQLã€ã³ãžã§ã¯ã·ã§ã³ã®åé¡ãšããŒãžããããšã«ãªããŸãload_pictures
ããšã³ããªãã€ã³ããšããŒã¿ããŒã¹ã¯ãšãªã®éã«å€ãã®ã¬ã€ã€ãŒãããã¢ããªã±ãŒã·ã§ã³ã§ã¯ããšã³ãžãã¢ã¯ãããŒã¿ããŠãŒã¶ãŒã«ãã£ãŠå®å
šã«å¶åŸ¡ãããŠããããšãã泚å
¥ã®åé¡ãåŒã³åºãããé¢æ°ã«é ãããŠããããšã«æ°ä»ããªãå ŽåããããŸããããã¯ãŸãã«ã¢ãã©ã€ã¶ãŒãäœæãããç¶æ³ã§ãããšã³ãžãã¢ãInstagramã§åæ§ã®å€æŽãææ¡ãããšãPysaã¯ãããŒã¿ããŠãŒã¶ãŒäž»å°ã®å
¥åããSQLã¯ãšãªã«éãããŠããããšãçºèŠããåé¡ãå ±åããŸãã
ã¢ãã©ã€ã¶ãŒã®å¶é
å®ç§ãªéçã¢ãã©ã€ã¶ãŒãäœæããããšã¯äžå¯èœã§ããPysaã«ã¯ãã¹ã³ãŒããããŒã¿ãããŒãããã³èšèšäžã®æ±ºå®ã«å¶éãããã粟床ãšç²ŸåºŠã®ããã©ãŒãã³ã¹ãäœäžããŸããåçèšèªãšããŠã®Pythonã«ã¯ããããã®èšèšäžã®æ±ºå®ã®ããã€ãã®æ ¹åºã«ããç¬èªã®ç¹æ§ããããŸãã
åé¡ç©ºé
Pysaã¯ãããŒã¿ã¹ããªãŒã ã«é¢é£ããã»ãã¥ãªãã£ã®åé¡ã®ã¿ãæ€åºããããã«æ§ç¯ãããŠããŸãããã¹ãŠã®ã»ãã¥ãªãã£ãŸãã¯ãã©ã€ãã·ãŒã®æžå¿µãããŒã¿ã¹ããªãŒã ãšããŠã¢ãã«åãããŠããããã§ã¯ãããŸãããäŸã確èªããŠãã ããã
def admin_operation(request: HttpRequest):
if not user_is_admin():
return Http404
delete_user(request.GET["user_to_delete"])
Pysaã¯
user_is_admin
ãç¹æš©æäœã®åã«èªèšŒãã§ãã¯ãå®è¡ãããããšãä¿èšŒããããã®é©åãªããŒã«ã§ã¯ãããŸããdelete_user
ãã¢ãã©ã€ã¶ãŒã¯ã«request.GET
åããããããã®ããŒã¿ãæ€åºã§ããŸãdelete_user
ãããã®ããŒã¿ã¯æ€èšŒãééããŸããuser_is_admin
ãã³ãŒããæžãçŽããŠåé¡ãPysaã¢ãã«ã«ããããæš©éãã§ãã¯ã管çæäœã«çµã¿èŸŒãããšãã§ããŸãdelete_user
ããããããã®ã³ãŒãã¯ãŸããPysaã解決ããªãåé¡ã瀺ããŠããŸãã
ãªãœãŒã¹å¶é
éçºè ã«ãã£ãŠææ¡ãããå€æŽãã³ãŒãããŒã¹ã«åæ ãããåã«Pysaãåæãå®äºã§ããããã«ãå¶çŽã«é¢ããèšèšäžã®æ±ºå®ãè¡ããŸãããã¢ãã©ã€ã¶ãŒããªããžã§ã¯ãã®éåžžã«å€ãã®å±æ§ã§ããŒã¿ã¹ããªãŒã ãç£èŠããå Žåããªããžã§ã¯ãå šäœãåçŽåããŠããã®ããŒã¿ãå«ããã®ãšããŠæ±ãå¿ èŠãããå ŽåããããŸããããã¯èª€æ€ç¥ã«ã€ãªããå¯èœæ§ããããŸãã
ãã1ã€ã®å¶éã¯éçºæéã§ãããµããŒããããŠããPythonæ©èœã«ã€ããŠãã¬ãŒããªããäœåãªããããŸãããPysaã¯ãé¢æ°ãåŒã³åºããšãã«ãŸã ãã³ã¬ãŒã¿ãåŒã³åºãã°ã©ãã«å«ããŠããªãããããã³ã¬ãŒã¿å ã®åé¡ãã¹ãããããŸãã
åçèšèªãšããŠã®Python
Pythonã®æè»æ§ã«ãããéçåæãå°é£ã«ãªããŸããã¿ã€ãæ å ±ã®ãªãã¡ãœããåŒã³åºããä»ããŠããŒã¿ã¹ããªãŒã ã远跡ããããšã¯å°é£ã§ãã以äžã®ã³ãŒãã§ã¯ãã©ã®å®è£
fly
ãåŒã³åºãããŠããããå€å¥ããããšã¯äžå¯èœã§ãã
class Bird:
def fly(self): ...
class Airplane:
def fly(self): ...
def take_off(x):
x.fly() # Which function does this call?
ã¢ãã©ã€ã¶ãŒã¯ãå®å šã«åæå®ãããŠããªããããžã§ã¯ãã§æ©èœããŸããããããéèŠãªã¿ã€ããã«ããŒããã®ã«ã»ãšãã©åŽåã¯ããããŸããã
Pythonã®åçãªæ§è³ªã«ãããå¥ã®å¶éã課ããããŸããäžèšåç §ïŒ
def secret_eval(request: HttpRequest):
os = importlib.import_module("os")
# Pysa won't know what 'os' is, and thus won't
# catch this remote code execution issue
os.system(request.GET["command"])
å®è¡ã®è匱æ§ã¯ããã«ã¯ã£ãããšè¡šç€ºãããŸãããã¢ãã©ã€ã¶ãŒã¯ãããã¹ãããããŸããã¢ãžã¥ãŒã«ã¯
os
åçã«ã€ã³ããŒããããŸããPysaã¯ãããŒã«ã«å€æ°osãã¢ãžã¥ãŒã«ãæ£ç¢ºã«è¡šããŠããããšãç解ããŠããŸããos
ãPythonã䜿çšãããšãã»ãŒãã¹ãŠã®ã³ãŒãããã€ã§ãåçã«ã€ã³ããŒãã§ããŸããããã«ããã®èšèªã¯ãã»ãšãã©ãã¹ãŠã®ãªããžã§ã¯ãã®é¢æ°åŒã³åºãã®åäœãå€æŽã§ããŸããPysaã¯ãosãåæããåé¡ãæ€åºããæ¹æ³ãåŠã¶ããšãã§ããŸããããããPythonã®ãã€ãããºã ã¯ãã¢ãã©ã€ã¶ãŒãèªèããªãç
çåŠçããŒã¿ã¹ããªãŒã ã®äŸãç¡éã«ããããšãæå³ããŸãã
çµæ
2020幎ã®ååãPysaã¯Instagramã§æ€åºããããã¹ãŠã®åé¡ã®44ïŒ ãå ããŸããããã¹ãŠã®è匱æ§ã¿ã€ãã®äžã§ãææ¡ãããã³ãŒãå€æŽã§330ã®åºæã®åé¡ãèŠã€ãããŸããã 49ïŒ15ïŒ ïŒã®åé¡ãé倧ã§ããããšãå€æãã131ïŒ40ïŒ ïŒã®åé¡ã¯çŸå®ã®ãã®ã§ããããç·©åããç¶æ³ããããŸãããåœé°æ§ã¯150ïŒ45ïŒ ïŒã®ã±ãŒã¹ã§èšé²ãããŸããã
ä»ã®æ¹æ³ã§å ±åãããåé¡ãå®æçã«ç¢ºèªããŸããããšãã°ããã°ããŠã³ãã£ããã°ã©ã ãéããŠããããããã¹ãŠã®åœé°æ§ä¿¡å·ã確å®ã«ä¿®æ£ããæ¹æ³ã§ããåã¿ã€ãã®è匱æ§ã®æ€åºã¯æ§æå¯èœã§ããå®å šãšã³ãžãã¢ã¯çµ¶ãéãªãæ¹è¯ãéããŠãå®éã®åé¡ã100ïŒ å ±åããããã«ãããæŽç·Žãããã¿ã€ãã«ç§»è¡ããŸããã
å šäœãšããŠãã»ãã¥ãªãã£ãšã³ãžãã¢ã®æ¡åŒµãæ¯æŽããããã«è¡ã£ããã¬ãŒããªãã«æºè¶³ããŠããŸããããããåžžã«éçºã®äœå°ããããŸããPysaã¯ãã»ãã¥ãªãã£ãšã³ãžãã¢ãšããã°ã©ããŒã®ç·å¯ãªã³ã©ãã¬ãŒã·ã§ã³ãéããŠãã³ãŒãã®å質ãç¶ç¶çã«åäžãããããã«äœæãããŸãããããã«ãããããã«äœ¿çšã§ãããœãªã¥ãŒã·ã§ã³ãããåªããããŒãºãæºããããŒã«ããã°ããå埩ããŠäœæããããšãã§ããŸããããšã³ãžãã¢ã®ååã«ãããPysaã ãŒãã¡ã³ãã«è¿œå ãšæ¹è¯ãå ããããŸãããããšãã°ãåé¡ã®ãã¬ãŒã¹ã衚瀺ããæ¹æ³ãå€æŽãããŸãããåœé°æ§ãèŠããããªããŸããã
Pysaã¢ãã©ã€ã¶ãŒã®ããã¥ã¡ã³ããšãã¥ãŒããªã¢ã«ã
ãªã³ã©ã€ã³ã®SkillFactoryã³ãŒã¹ãåè¬ããŠã泚ç®ãéããè·æ¥ããŒãããååŸããæ¹æ³ããŸãã¯ã¹ãã«ãšçµŠäžãã¬ãã«ã¢ããããæ¹æ³ã®è©³çŽ°ã確èªããŠãã ããã
- «Python -» (9 )
- «Python » (2 )
- Python (10 )
E
- Machine Learning (12 )
- «Machine Learning Pro + Deep Learning» (20 )
- « Machine Learning Data Science» (20 )
- Data Science (12 )
- - (8 )
- (9 )
- DevOps (12 )
- Java- (18 )
- JavaScript (12 )