Search
Dolt 是一個 SQL 資料庫,你可以像 git repositroy 一樣進行 fork、clone、開branch、合併、推送和 pull request。就像任何 MySQL 資料庫一樣連線到Dolt,使用 SQL 命令執行查詢或更新資料。使用命令列介面匯入 CSV 檔案,提交你的更改,將它們推送到遠端,或者合併你的同事修改。
🔥 udemy coupon code 已經更新 http://bit.ly/2O0wbOm 最低價 NT330 起
https://softnshare.com/opensource-dolt/
分析 npm 或 yarn lockfile 檢測安全問題
Lockfiles 被用作資源清單的受信任白名單,從中獲取套件。 然而追蹤到 lockfile 中的修改並不是一項簡單的任務,因為它們是為機器使用而設計的。
如果有人建立了一個 Pull Request 並且偷偷地使用一個惡意的資源套件來替換一個真正的程式庫,會發生什麼事呢?
檢查你的 lockfile ,以確保它們符合預先定義的安全策略,並減輕這種安全漏洞攻擊。
✍看更多開源資訊介紹,歡迎加入 Discord Github 俱樂部 https://discord.gg/DGR7uDqSSW
https://github.com/lirantal/lockfile-lint
本篇文章探討的也是資安系列問題,而這次的目標主角則是 MAC 系統上廣為流傳的 Homebrew 系統。
結論:
作者透過觀察 Homebrew 的 Github Action 流程,成功得上傳一個會列印一行的程式碼到 iterm2 套件中,讓所有安裝的使用者都會於 Terminal 上看到一行作者客製化的訊息。
本次的漏洞是作者刻意從 Homebrew 的 Vulnerability Disclosure Program 專案中去嘗試尋找可能的問題,所有的操作都有跟官方專案的人探討過流程,並且一切的 PoC 都是單純證明該攻擊的可行性,所以有興趣研究的人請遵循一樣的想法去做,不要認真的想攻擊。
原因:
1. Homebrew 透過 Github Action 執行 CI/CD 動作
2. Homebrew 撰寫了一個自動合併 Pull Request 的 Action
3. CI 內會透過一個Ruby的 Git Diff 第三方函式庫來驗證,只要符合下列條件就可以自動合併
- Modifying only 1 file
- Not moving/creating/deleting file
- Target filepath matches \ACasks/[^/]+\.rb\Z
- Line count of deletions/additions are same
- All deletions/additions matches /\A[+-]\s*version "([^"]+)"\Z/ or - -\A[+-]\s*sha256 "[0-9a-f]{64}"\Z
- No changes to format of versions (e.g. 1.2.3 => 2.3.4)
作者一開始想要從該規則下手,找尋有沒有可能塞入惡意攻擊並且騙過系統讓其自動合併,然而這些規則看起來沒有什麼太多問題,於是作者轉往其他領域去找尋問題,其中一個想法就是到底該 Ruby 的 Git Diff 是如何實作,也許從實作下手更有辦法去欺騙這一切。
很順利的是,作者真的於該函式庫中找到問題,對於一個 Git Diff 的結果來說,該函式庫會透過 +++ "?b/(.*) 這樣的正規表達式來判別檔案路徑的資訊而並非程式修改內容,譬如下列 diff
```
diff --git a/source file path b/destination file path
index parent commit hash..current commit hash filemode
--- a/source file path
+++ b/destination file path
@@ line information @@
Details of changes (e.g.: `+asdf`,`-zxcv`)
```
作者就開始思考,如果讓程式碼可以符合 +++ "?b/(.*) 的規則,是否有辦法讓程式碼不被視為一個檔案的修改,因此就可以修改多行程式碼但是讓 CI 系統認為只有一行程式碼於是進行自動合併
作者最初的想法如下,第一行用來放惡意程式碼,第二行用來偽裝檔案路徑,經過一番嘗試後作者真的成功塞入了類似 PRINTF 的程式碼到環境中並觸發自動合併。接者各地使用者透過 brew 安裝 iterm 版本都會看到使用者塞入的程式碼。
```
++ "b/#{Arbitrary codes here}"
++ b/Casks/cask.rb
```
原文還有更多作者的思路過程,有興趣的不要錯過
原文:
https://blog.ryotak.me/post/homebrew-security-incident-en/#fn:7
測試用PR:
https://github.com/Homebrew/homebrew-cask/pull/104191
OPEN ME!!!
Hai guys! Terima Kasih untuk menonton! Jangan lupa intuí tekan butan loceng supaya tak terlepas apa-apa video okay.
SHOPEE CASING RM1
1. REST RABBIT SOFT CASE : https://bit.ly/2FhQqH9
2. TOMATO SOFT CASE : https://bit.ly/30Pbmxn
3. CUTE CARTOON : https://bit.ly/33Sz6T9
4. SHIN CHAN SOFT CASE : https://bit.ly/3kDIb8A
5. MONSTER SOFT CASE : https://bit.ly/3aiyW99
6. ANGER BEAR : https://bit.ly/2Fknu1n
7. PUSH PULL GOGGLES : https://bit.ly/3kB9tfz
8. SULLEY :https://bit.ly/33QMmb3
9. CUTE GIRL :https://bit.ly/3gUmrD2
10. BABY DINOSAUR: https://bit.ly/344d8gr
Teruskan Support aina dengan hashtag #ainafam #ainamaisara Sayang Hampa?❤️
Terima kasih menonton ya! Jangan lupa plak untuk video seterusnya?❤️?
Ada request video? Komen down below?❤️
----------------------------------------------------------------------------------------------------------
❤️ ?Click Down Below All Aina Equipment RECORDING :
❤️LAZADA
1. IPHONE 11 MAX PRO : https://bit.ly/33bJoOe
2. Sony Alpha a7 II: https://bit.ly/3jQHBUF
3. Gopro Hero 7 Black: https://bit.ly/2EB5CPl
4. BOYA : https://bit.ly/3393Izy
5. Rode Video Mic: https://bit.ly/3gpZC9S
6. BOYA BY-A7H : https://bit.ly/2BO3cfe
7. Andoer Studio Photo Lighting Kit: https://bit.ly/3fkOOsE
8. Ring Light with 160CM Tripod Stand Phone Holder Selfie Ring Light : https://bit.ly/311FWTt
9. Apple 10.5-inch iPad Air: https://bit.ly/2CTjYdr
10. Apple 13-inch MacBook Air: : https://bit.ly/3ffrOLw
❤️SHOPEE
1. Iphone 11 pro Max : https://bit.ly/39NcHYv
2. Sony alpha A7II: https://bit.ly/33aRTJ6
3. Go Pro Hero 7Black : https://bit.ly/3jSeAHX
4. Boya Mic : https://bit.ly/33mSEiD
5. Rode Mic : https://bit.ly/3hKBb7s
6. Boya By-A7H : https://bit.ly/337HhuE
7. Lighting Kit : https://bit.ly/2P5KLWm
8. Ring Light: https://bit.ly/39IdR7F
9. Apple iPad Air 2019: https://bit.ly/39F9Q3T
10. MacBook Air 2017 : https://bit.ly/39Fahv3
?Click Down Below All my media Social, Let's TALK WITH ME?
?Instagram Shop Aina : https://www.instagram.com/amb.hq/ (@amb.hq)
?Instagram :: https://www.instagram.com/amainamaisara/ (@amainamaisara)
⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯
Let's get this video to 150 THUMBS UP!!
Let's get my YouTube Channel to 58 090
SUBLINES!
Current Sublines: 60 000
⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯
THANKS FOR WATCHING!!!
⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯⋯
Sau khi nhận được rất nhiều request của mọi người mình đã hoàn thành xong video summer lookbook rồi đây!!!
?PURPLE LOOKBOOK - Phối 5 Outfits Với Màu Tím Hot Trend https://youtu.be/kj5zFOiMB1Y
?Shopee Fashion Haul - 7 Shop QUẦN ÁO , VÁY ĐẦM Giá Dưới 250k https://youtu.be/91SDnM8_uuU
? MILKY PEACH MAKEUP Tutorial https://bit.ly/3ci3oQY
?SWATCH & REVIEW SON GIÁ DƯỚI 300K https://bit.ly/39YuxYj
**PRODUCTS**
Height: 160cm | Weight: 45kg
Size: S or M
Outfit 1
Top | ZARA
Pants | Rubies https://www.instagram.com/rubies.sg/
Belt | Stradivarius
Necklace | Boo Storie https://bit.ly/3dEbFiN
Earrings | H&M
Heels | The Basic Cloud https://www.instagram.com/thebasic.cloud/
Outfit 2
Dress | Clothes Bar https://www.instagram.com/clothesbar.vn/
Shirt | Libé https://www.instagram.com/libeworkshop/
Accessories | Boo Storie https://bit.ly/3dEbFiN
Boots | Noemie https://www.instagram.com/noemie.xls/
Handbag | Con Meo Den Tailor https://bit.ly/3dFNJvo
Outfit 3
Top | Libé https://www.instagram.com/libeworkshop/
Skirt | Libé https://www.instagram.com/libeworkshop/
Necklace | Boo Storie https://bit.ly/3dEbFiN
Heels | The Basic Cloud https://www.instagram.com/thebasic.cloud/
Handbag | Con Meo Den Tailor https://bit.ly/3dFNJvo
Outfit 4
Top | Janet Studio https://www.instagram.com/janet.studio/
Jeans | Pull n Bear
Accessories | Boo Storie https://bit.ly/3dEbFiN
Heels | The Basic Cloud https://www.instagram.com/thebasic.cloud/
Handbag | NGAOS https://bit.ly/2XBfnE5
Outfit 5
Lace Top + Cardigan | Janet Studio https://www.instagram.com/janet.studio/
Pants | H&M
Accessories | Boo Storie https://bit.ly/3dEbFiN
Heels | The Basic Cloud https://www.instagram.com/thebasic.cloud/
Tote Bag | Linlin Canvas https://www.instagram.com/linlincanvas/
**FOLLOW US**
_Instagram_
@tinthehyper - https://www.instagram.com/tinthehyper/
@adriedrose - https://www.instagram.com/adriedrose/
_Facebook_
https://www.facebook.com/peachncoffee/
**FAQ
- Camera: Sony A6400
- Phần mềm edit: Adobe Premiere CC 2019
- Music:
Music by HOAX - Beach House - https://thmatc.co/?l=6651202C
Music by HOAX - Moon Moon Baby - https://thmatc.co/?l=64512776
Hãy like & subscribe để đón xem các clip mới từ tụi mình nha!
--------------------------------------------------------------
© Bản quyền thuộc về Peach n Coffee
© Copyright by Peach n Coffee ☞ Do not Reup
Một video chia sẻ những món tui yêu nhứt tháng 10 tèn tennn. Kiểu lâu rùi mới ngồi trước máy quay lại cảm thấy tăng động thiệt nhìu =)))). Với cả là AP có mua vlog camera mới đóooo, cả nhà muốn AP mần gì AP nhận order nhaa :*
Kem nền đáng mến! | OCTOBER FAVES | Letsplaymakeup
https://youtu.be/HyP2SAgnyrY
Sản phẩm dùng trong video,
Hada Labo Cleansing Oil: http://ho.lazada.vn/SHX3Qz
Hiruscar Post Acne: http://ho.lazada.vn/SHWh8S
Lancome Energie de Vie Eye Gel
Dior Forever Perfect Foundation màu 021
Nars Soft Matte Complete Concealer màu Custard
Innisfree My Palette bé
Jouer Long Wear Lip Cream màu Noisette
Một số thông tin khác,
AP quên mất k lồng vào video là mìg thích GIỌNG ẢI GIỌNG AI lắmmm =))). Mới coi gần đây mà cảm thấy đam mê thật nhìu!!!
Máy vlog camera mình mới mua là Canon G7x Mark II nhaa
Áo Libé
Mũ nồi @mignonne.inc
Bông tai Pull& Bear
Quay tại phòng nên ánh sáng hơi tối tăm chút huhuhuhu chế phương ngàn lần xin lỗi :((((
Quay bằng Canon 6D
Edit bằng Final Cut Pro
Nhạc intro Spring in my step
Disclaimer: Các sản phẩm Hada Labo, Hiruscar Post Acne, Lancome, Innisfree được gửi đến cho mình dùng thử. ĐƯƠNG NHIÊN TÍNH MÌNH CÓ SAO NOI ZẬY, REVIEW CỦA TUI THIỆT THÀ CHÂN CHẤT TADAA!
Cảm ơn các chế nhìuuuuu. Hii được mọi ng xem video xog còn đọc đến đây nữa làm tui rất sướngg :*. Đừng quên request chủ đề video cho thím Phương nhaaa :3
—————————————
Mình hiện diện ở khắp mọi nơi,
Instagram: @letsplaymakeup
Facebook: @letsplaymakeupchannel
Snapchat: anphuong.lpmu
Email: letsplaymakeupchannel@gmail.com
—————————————
Pull requests let you tell others about changes you've pushed to a branch in a repository on GitHub. Once a pull request is opened, you can discuss and ... ... <看更多>
為什麼要提交一個 PR (Pull Request)?. 當開發者完成一個功能時,亦即,在一般情況下,開發者在一個他專屬的分支上進行功能開發,然後完成該功能。 ... <看更多>
pull request 在 與其它開發者的互動- 使用Pull Request(PR) - 為你自己學Git 的推薦與評價
原作者看完後說「我覺得可以」,然後就決定把你做的這些修改合併(Merge)到他的專案裡。 其中,第4 步的那個「通知」,就是發一個請原作來拉回去(Pull)的請求(Request ... ... <看更多>