FixVibe
Covered by FixVibemedium

Next.js Rashin Daidaita Shugaban Tsaro a next.config.js

Aikace-aikacen Next.js masu amfani da next.config.js don gudanar da kan kai suna da saukin kamuwa da gibin tsaro idan tsarin daidaita hanyoyin ba su da kyau. Wannan binciken yana bincika yadda kuskuren kuskure da regex ke haifar da ɓacewar taken tsaro akan hanyoyi masu mahimmanci da yadda ake taurare tsarin.

CWE-1021CWE-200

Tasiri

Ana iya amfani da manyan kanun tsaro da suka ɓace don yin dannajacking, rubutun giciye (XSS), ko tattara bayanai game da mahallin uwar garken [S2]. Lokacin da masu kai irin su Content-Security-Policy (CSP) ko X-Frame-Options aka yi amfani da su ba tare da daidaito ba a kan hanyoyi, maharan na iya kai hari kan takamaiman hanyoyin da ba su da kariya don ƙetare wuraren sarrafa tsaro na ZXCVN3.

Tushen Dalili

Next.js yana ba masu haɓakawa damar saita masu kai martani a cikin next.config.js ta amfani da kayan headers [S2]. Wannan saitin yana amfani da madaidaicin hanya wanda ke goyan bayan katunan daji da maganganun yau da kullun [S2]. Matsalolin tsaro yawanci suna tasowa daga:

  • Cikakkun Tafarki maras Cikakku : Alamar kati (misali, /path*) bazai rufe duk abubuwan da aka yi niyya ba, barin shafukan gida ba tare da kanun tsaro ba [S2].
  • Bayyana Bayani *: Ta hanyar tsoho, Next.js na iya haɗawa da taken X-Powered-By, wanda ke bayyana sigar tsarin sai dai idan an kashe shi a sarari ta hanyar tsarin poweredByHeader poweredByHeader.
  • CORS Misconfiguration: Ba daidai ba ma'anar Access-Control-Allow-Origin a cikin tsararru na headers na iya ba da izinin asalin giciye mara izini ga mahimman bayanai Access-Control-Allow-Origin.2

Saukewa: ZXCVFIXVIBESEG10

Gyaran Kankare

Saukewa: ZXCVFIXVIBESEG11

  • Tsarin Hanyoyi na Audit *: Tabbatar da duk tsarin source a cikin next.config.js suna amfani da katunan daji masu dacewa (misali, /:path*) don amfani da kanun labarai a duniya inda ya cancanta ZXCV.

Saukewa: ZXCVFIXVIBESEG12

  • Kashe bugun yatsa *: Saita poweredByHeader: false a cikin next.config.js don hana a aika da kai X-Powered-By daga aika [S2].

Saukewa: ZXCVFIXVIBESEG13

  • Ƙuntata CORS *: Saita Access-Control-Allow-Origin zuwa takamaiman yanki na amintattun maimakon katuna a cikin tsarin headers [S2].

Saukewa: ZXCVFIXVIBESEG14

Yadda FixVibe yayi gwajinsa

Saukewa: ZXCVFIXVIBESEG15 FixVibe na iya yin bincike mai aiki gated ta hanyar lanƙwasa aikace-aikacen da kwatanta shugabannin tsaro na hanyoyi daban-daban. Ta hanyar nazarin taken X-Powered-By da daidaito na Content-Security-Policy a cikin zurfin hanyoyi daban-daban, FixVibe na iya gano gibin sanyi a cikin next.config.js.