嗯,用户让我帮忙总结一下这篇文章的内容,控制在100字以内,而且不需要特定的开头。首先,我得仔细阅读文章内容,理解主要观点。 文章主要讲的是作者在分析Spark AR的时候发现了一个安全问题。他提到可以安装来自AR库的包,但只有经过验证的作者才能发布包。接着,他安装了一个包并导出为.arexport文件,用7zip打开后发现了一个内部文件夹和一个kitchensink.zip文件,里面包含package.json。这可能意味着存在潜在的安全风险。 接下来,我需要将这些信息浓缩到100字以内。要抓住关键点:Spark AR的安全分析、安装包的过程、发现内部文件夹和kitchensink.zip的内容及其可能的安全隐患。 确保语言简洁明了,不使用复杂的术语。同时,避免使用“文章内容总结”之类的开头词,直接描述内容。 最后检查字数是否符合要求,并确保信息准确传达。 </think> 文章描述了作者在分析Spark AR时发现的安全问题:通过安装AR库中的包并导出为.arexport文件后,发现内部包含名为"kitchensink.zip"的文件夹和package.json文件,暗示可能存在潜在安全风险。 2026-2-10 18:11:28 Author: infosecwriteups.com(查看原文) 阅读量:0 收藏
Press enter or click to view image in full size
I highly recommend that you read my previous Spark AR write up, while the two bugs are not related, the other post contains more information about how spark AR works and the methodology I follow to analyze Spark AR for vulnerabilities, with that said let’s begin.
While looking at Spark AR studio, I noticed a feature that allows installing packages from AR library (an online library for spark AR packages), my first instinct was trying to publish a package and investigate how that works, however, it turns out only verified authors are allowed to publish packages, this is usually an indicator that some level of trust is given to those packages.
So instead of publishing my own package, I went to the second option, I installed one of the available packages and I saved the project as “.arexport” file, then I opened it using 7zip (.arexport files are just zip file containing the project files).
When I opened the file, something immediately caught my eye, there was a new folder added to the archive named “internal”, the name is very interesting, and inside that folder there was a zip file named “kitchensink.zip” which is also an interesting name.
I opened the “kitchensink.zip” file and found that it contains package.json which is usually a file used to describe node…
如有侵权请联系:admin#unsafe.sh