FixVibe
Covered by FixVibehigh

I-CORS Ukungalungiselelwa kahle: Izingozi Zezinqubomgomo Ezivumela Ngokudlulele

I-Cross-Origin Resource Sharing (CORS) iwumshini wokuphequlula oklanyelwe ukuphumuza i-Same-Origin Policy (SOP). Nakuba kudingekile ezinhlelweni zokusebenza zewebhu zesimanje, ukusebenzisa okungafanele—njengokunanela isihloko esithi Umsuka womfakisicelo noma ukugunyaza umsuka ‘ongenalutho’—kungavumela amasayithi anonya ukuthi akhiphe idatha yomsebenzisi eyimfihlo.

CWE-942

Umthelela

Umhlaseli angantshontsha idatha ezwelayo, eqinisekisiwe kusukela kubasebenzisi bohlelo lokusebenza olusengozini [S2]. Uma umsebenzisi evakashela iwebhusayithi enobungozi ngenkathi engene kuhlelo lokusebenza olusengozini, isayithi eliyingozi lingenza izicelo zemvelaphi ehlukene ku-API yohlelo lokusebenza futhi lifunde izimpendulo [S1][S2]. Lokhu kungaholela ekwebiweni kolwazi oluyimfihlo, okuhlanganisa amaphrofayela omsebenzisi, amathokheni e-CSRF, noma imilayezo eyimfihlo [S2].

Imbangela

I-CORS iwumshini osuselwe kusihloko se-HTTP ovumela amaseva ukuthi acacise ukuthi yimiphi imisuka (isizinda, isikimu, noma imbobo) evunyelwe ukulayisha izinsiza [S1]. Ubungozi ngokuvamile buvela lapho inqubomgomo yeseva ye-CORS iguquguquka kakhulu noma isetshenziswe kabi [S2]:

  • Inhlokweni Yomsuka Obonisiwe: Amanye amaseva afunda unhlokweni we-Origin esicelweni seklayenti futhi aphinde amelane naso kokuthi Access-Control-Allow-Origin (ACAO) unhlokweni wempendulo [S2]. Lokhu kuvumela ngempumelelo noma iyiphi iwebhusayithi ukuthi ifinyelele insiza [S2].
  • Ama-Wildcards Angalungiselelwe Ngokungalungile: Nakuba i-wildcard ye-* ivumela noma yimuphi umsuka ukuze ufinyelele insiza, ayikwazi ukusetshenziselwa izicelo ezidinga imininingwane (njengamakhukhi noma izihloko Zokugunyazwa) [S3]. Onjiniyela bavame ukuzama ukudlula lokhu ngokukhiqiza ngokuguqukayo unhlokweni we-ACAO ngokusekelwe esicelweni [S2].
  • Ukugunyazwa 'null': Ezinye izinhlelo zokusebenza zigunyaza umsuka we-null, ongaqaliswa izicelo eziqondiswe kabusha noma amafayela endawo, okuvumela amasayithi anonya ukuze azenze umsuka we-null ukuze zithole ukufinyelela ZXCVFIXVIBETOKEN2ZXZXCVBETOK.
  • Amaphutha Okuhlaziya: Amaphutha ku-regex noma ukufaniswa kweyunithi yezinhlamvu lapho kuqinisekiswa isihloko esithi Origin kungavumela abahlaseli ukuthi basebenzise izizinda ezifana ne-trusted-domain.com.attacker.com [S2].

Kubalulekile ukuqaphela ukuthi i-CORS ayisona isivikelo ku-Cross-Site Request Forgery (CSRF) [S2].

Ukulungiswa kukakhonkolo

  • Sebenzisa Uhlu Oluqinile Oluqinile: Gwema ukukhiqiza unhlokweni we-Access-Control-Allow-Origin ngokuguqukayo kusukela kunhlokweni wesicelo othi Origin [S2]. Kunalokho, qhathanisa umsuka wesicelo ngokumelene nohlu olunamakhodi aqinile lwezizinda ezithenjwayo [S3].
  • Gwema I-'null' Umsuka: Ungalokothi ufake i-null ohlwini lwakho olugunyaziwe lwemvelaphi evunyelwe [S2].
  • Khawulela Ukuqinisekisa: Setha kuphela i-Access-Control-Allow-Credentials: true uma kudingekile ukuze kusetshenziswe imvelaphi ethile [S3].
  • Sebenzisa Ukuqinisekisa Okufanelekile: Uma kufanele usekele imisuka eminingi, qinisekisa ukuthi indlela enengqondo yokuqinisekisa yesihloko se-Origin iqinile futhi ayikwazi ukudlulwa izizinda ezingaphansi kwazo noma izizinda ezibukeka ngendlela efanayo [S2].

I-FixVibe iyihlolela kanjani

I-FixVibe manje ihlanganisa lokhu njengesheke elisebenzayo elinesango. Ngemuva kokuqinisekiswa kwesizinda, i-active.cors ithumela izicelo zemvelaphi efanayo API ezinomsuka womhlaseli wokwenziwa futhi ibuyekeze izihloko zokuphendula CORS. Ibika ukuthi ibonise imisuka engafanele, i-wildcard eqinisekiswe i-CORS, kanye ne-CORS evuleke kakhulu ezindaweni zokugcina ze-API ezingezona ezisesidlangalaleni kuyilapho igwema umsindo wempahla yomphakathi.