由于在Angular中被指出存在tar文件的脆弱性(任意文件覆盖),所以需要进行修复

2 年 ago
韵, 科
1 minute

概括

本文讲述了在创建新的Angular项目时,发现了tar的漏洞(任意文件覆写),因此将介绍修复方法。

Angular/CLI 的版本

$ng version

     _                      _                 ____ _     ___
    / \   _ __   __ _ _   _| | __ _ _ __     / ___| |   |_ _|
   / △ \ | '_ \ / _` | | | | |/ _` | '__|   | |   | |    | |
  / ___ \| | | | (_| | |_| | | (_| | |      | |___| |___ | |
 /_/   \_\_| |_|\__, |\__,_|_|\__,_|_|       \____|_____|___|
                |___/


Angular CLI: 7.3.8
Node: 10.8.0
OS: win32 x64
Angular: 7.2.14
... animations, common, compiler, compiler-cli, core, forms
... language-service, platform-browser, platform-browser-dynamic
... router

Package                           Version
-----------------------------------------------------------
@angular-devkit/architect         0.13.8
@angular-devkit/build-angular     0.13.8
@angular-devkit/build-optimizer   0.13.8
@angular-devkit/build-webpack     0.13.8
@angular-devkit/core              7.3.8
@angular-devkit/schematics        7.3.8
@angular/cli                      7.3.8
@ngtools/webpack                  7.3.8
@schematics/angular               7.3.8
@schematics/update                0.13.8
rxjs                              6.3.3
typescript                        3.2.4
webpack                           4.29.0

当使用Angular创建新项目时会指出安全漏洞。

创建新项目

$ng new hoge
? Would you like to add Angular routing? No
? Which stylesheet format would you like to use? CSS

批评了脆弱性

found 1 high severity vulnerability

确认脆弱性的详细信息

使用npm audit可以查看漏洞的详细信息。npm audit会对安装的包进行安全检查,如果存在漏洞,它会显示详细报告。

$npm audit

                       === npm audit security report ===                        


                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             

          Visit https://go.npm.me/audit-guide for additional guidance           


  High            Arbitrary File Overwrite                                      

  Package         tar                                                           

  Patched in      >=4.4.2                                                       

  Dependency of   @angular-devkit/build-angular [dev]                           

  Path            @angular-devkit/build-angular > node-sass > node-gyp > tar

  More info       https://nodesecurity.io/advisories/803

found 1 high severity vulnerability in 42611 scanned packages
  1 vulnerability requires manual review. See the full report for details.

如果您使用的是4.4.2之前的版本,则tar存在一个脆弱性,可能导致任意文件被覆盖。请升级tar版本以进行修复。

打开 node-gyp 的 package.json

node_modules\node-gyp\package.json 可以进行以下汉语表达:

node_modules\node-gyp\package.json

升级tar的版本

之前的变化

"dependencies": {
  "tar": "^2.0.0"
},

改变后

"dependencies": {
  "tar": "^4.4.8"
},

重新安装软件包

$npm install

自动修复软件包的漏洞。

npm audit fix会自动修复安装的软件包的漏洞。
对于这个漏洞,您需要手动修复node-gyp的package.json文件,然后执行。

$npm audit fix

确认脆弱性

再次进行安全检查,可以确认漏洞已经解决。

$npm audit

                       === npm audit security report ===                        

found 0 vulnerabilities
 in 42604 scanned packages

请提供更多上下文以便为您提供准确的中文翻译。

这次我们参考了这个Stack Overflow的解决方案进行了处理。
https://stackoverflow.com/questions/55635378/npm-audit-arbitrary-file-overwrite

bannerAds