# 漏洞总结 ## 漏洞概述 - **漏洞ID**: CVE-2026-32148 - **漏洞描述**: 在 `mix.lock` 文件中,由于类型不匹配导致校验和验证被静默跳过。具体原因是在模式匹配中,将基于原子(atom)的名称与基于字符串(string)的锁数据进行比较时,未能正确执行校验和验证。 - **修复提交**: Commit d7528c8 ## 影响范围 - **受影响文件**: `lib/hex/remote_converger.ex` - **受影响函数**: `verify_deps/4` 和 `verify_deps/5` ## 修复方案 - **修复文件**: `lib/hex/remote_converger.ex` - **修复内容**: - 在 `verify_deps/4` 和 `verify_deps/5` 函数中,将基于原子的名称转换为基于字符串的名称,以确保校验和验证能够正确执行。 - 具体修改如下: ```elixir # 修改前 case Hex.Util.lock[lock[atom_to_string(app)]] do %{name: atom_name, version: version, repo: repo} = lock -> %{name: atom_name, version: version, repo: repo} = lock # 修改后 case Hex.Util.lock[lock[String.to_atom(app)]] do %{name: atom_name, version: version, repo: repo} = lock -> %{name: atom_name, version: version, repo: repo} = lock ``` ## POC代码 - **测试文件**: `test/hex/remote_converger_test.exs` - **测试内容**: - 测试用例 `test "raises an checksum mismatch in mix.lock" do` 用于验证修复后的校验和验证功能。 - 具体测试代码如下: ```elixir test "raises an checksum mismatch in mix.lock" do in_tmp(fn -> Mix.Project.push(ChecksumIntegrity.MixProject) # First, get dependencies normally to create a valid lock file :ok = Mix.Tasks.Deps.Get.run([]) # Read the lock file lock = Mix.Dep.Lock.read() {:hex, name, version, inner_checksum, managers, deps, repo, outer_checksum} = lock[:ex_doc] assert_checksum_mismatch(%{ ex_doc: {:hex, name, version, invalid_checksum(inner_checksum), managers, deps, repo, outer_checksum} }) assert_checksum_mismatch(%{ ex_doc: {:hex, name, version, inner_checksum, managers, deps, repo, invalid_checksum(outer_checksum)} }) end) end defp assert_checksum_mismatch(lock) do File.write!("mix.lock", inspect(lock, limit: :infinity, pretty: true)) Mix.Tasks.clear() # The bug causes this to silently pass and rewrite the lock file with correct checksums assert_raise Mix.Error, ~r/Registry checksum mismatch against lock/, fn -> Mix.Tasks.Deps.Get.run([]) end end defp invalid_checksum("0" rest), do: "1" rest defp invalid_checksum(>, rest: rest), do: "0" rest ```