Code Monkey home page Code Monkey logo

Comments (4)

maltfield avatar maltfield commented on June 14, 2024

Note: This specific issue is not really much of an issue regarding PRs containing malicious unicode bidirectional control characters, since GitHub detects this and makes it very apparent:

from buskill-app.

maltfield avatar maltfield commented on June 14, 2024

I read some weeks ago that most linters should be able to pick-up on this. I actually don't use a linter, but let's investigate.

First, the authors of the Trojan Source paper demonstrate the vulnerability with code snippets across many languages here on GitHub. Here's an example script with a classic, malicious bidirectional control character in python here on GitHub.

At the top of the above page, there's a clear warning:

 This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters

But what about the linters? Let's try them out

Black

apt-get install black
wget -qO commenting-out.py https://raw.githubusercontent.com/nickboucher/trojan-source/main/Python/commenting-out.py
black commenting-out.py

black doesn't warn at all, and the malicious characters are still in-place after running it

user@disp769:~/sandbox$ black commenting-out.py
reformatted commenting-out.py
All done! ✨ 🍰 ✨
1 file reformatted.
user@disp769:~/sandbox$ python3 commenting-out.py 
You are an admin.
user@disp769:~/sandbox$

PyFlakes

pyflakes ain't catch shit

user@disp769:~/sandbox$ wget -qO commenting-out.py https://raw.githubusercontent.com/nickboucher/trojan-source/main/Python/commenting-out.py
user@disp769:~/sandbox$ pyflakes commenting-out.py 
user@disp769:~/sandbox$ python3 commenting-out.py 
You are an admin.
user@disp769:~/sandbox$

pycodestyle

pycodestyle doesn't appear to detect it -- at least not in a message that explains the issue

user@disp769:~/sandbox$ wget -qO commenting-out.py https://raw.githubusercontent.com/nickboucher/trojan-source/main/Python/commenting-out.py
user@disp769:~/sandbox$ pycodestyle commenting-out.py 
commenting-out.py:4:29: E261 at least two spaces before inline comment
commenting-out.py:5:31: W292 no newline at end of file
user@disp769:~/sandbox$ python3 commenting-out.py 
You are an admin.
user@disp769:~/sandbox$

yapf

yapf doesn't fix it

user@disp769:~/sandbox$ wget -qO commenting-out.py https://raw.githubusercontent.com/nickboucher/trojan-source/main/Python/commenting-out.py
user@disp769:~/sandbox$ yapf -i commenting-out.py
user@disp769:~/sandbox$ python3 commenting-out.py 
You are an admin.
user@disp769:~/sandbox$

bandit

bandit skipped right over it

user@disp769:~/sandbox$ wget -qO commenting-out.py https://raw.githubusercontent.com/nickboucher/trojan-source/main/Python/commenting-out.py
user@disp769:~/sandbox$ bandit commenting-out.py
[main]	INFO	profile include tests: None
[main]	INFO	profile exclude tests: None
[main]	INFO	cli include tests: None
[main]	INFO	cli exclude tests: None
[main]	INFO	running on Python 3.7.3
[node_visitor]	INFO	Unable to find qualified name for module: commenting-out.py
Run started:2021-11-14 23:04:46.645931

Test results:
	No issues identified.

Code scanned:
	Total lines of code: 3
	Total lines skipped (#nosec): 0

Run metrics:
	Total issues (by severity):
		Undefined: 0.0
		Low: 0.0
		Medium: 0.0
		High: 0.0
	Total issues (by confidence):
		Undefined: 0.0
		Low: 0.0
		Medium: 0.0
		High: 0.0
Files skipped (0):
user@disp769:~/sandbox$ python3 commenting-out.py 
You are an admin.
user@disp769:~/sandbox$

dodgy

dodgy didn't catch it

user@disp769:~/sandbox$ wget -qO commenting-out.py https://raw.githubusercontent.com/nickboucher/trojan-source/main/Python/commenting-out.py
user@disp769:~/sandbox$ dodgy commenting-out.py
{
  "warnings": []
}
user@disp769:~/sandbox$ python3 commenting-out.py 
You are an admin.
user@disp769:~/sandbox$

from buskill-app.

maltfield avatar maltfield commented on June 14, 2024

I crowdsourced this to Stack Overflow. Will revisit another day.

from buskill-app.

maltfield avatar maltfield commented on June 14, 2024

This was fixed by the following commit:

See also:

from buskill-app.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.