Comments (4)
Note: This specific issue is not really much of an issue regarding PRs containing malicious unicode bidirectional control characters, since GitHub detects this and makes it very apparent:
from buskill-app.
I read some weeks ago that most linters should be able to pick-up on this. I actually don't use a linter, but let's investigate.
First, the authors of the Trojan Source paper demonstrate the vulnerability with code snippets across many languages here on GitHub. Here's an example script with a classic, malicious bidirectional control character in python here on GitHub.
At the top of the above page, there's a clear warning:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
But what about the linters? Let's try them out
Black
apt-get install black
wget -qO commenting-out.py https://raw.githubusercontent.com/nickboucher/trojan-source/main/Python/commenting-out.py
black commenting-out.py
black doesn't warn at all, and the malicious characters are still in-place after running it
user@disp769:~/sandbox$ black commenting-out.py
reformatted commenting-out.py
All done! ✨ 🍰 ✨
1 file reformatted.
user@disp769:~/sandbox$ python3 commenting-out.py
You are an admin.
user@disp769:~/sandbox$
PyFlakes
pyflakes ain't catch shit
user@disp769:~/sandbox$ wget -qO commenting-out.py https://raw.githubusercontent.com/nickboucher/trojan-source/main/Python/commenting-out.py
user@disp769:~/sandbox$ pyflakes commenting-out.py
user@disp769:~/sandbox$ python3 commenting-out.py
You are an admin.
user@disp769:~/sandbox$
pycodestyle
pycodestyle doesn't appear to detect it -- at least not in a message that explains the issue
user@disp769:~/sandbox$ wget -qO commenting-out.py https://raw.githubusercontent.com/nickboucher/trojan-source/main/Python/commenting-out.py
user@disp769:~/sandbox$ pycodestyle commenting-out.py
commenting-out.py:4:29: E261 at least two spaces before inline comment
commenting-out.py:5:31: W292 no newline at end of file
user@disp769:~/sandbox$ python3 commenting-out.py
You are an admin.
user@disp769:~/sandbox$
yapf
yapf doesn't fix it
user@disp769:~/sandbox$ wget -qO commenting-out.py https://raw.githubusercontent.com/nickboucher/trojan-source/main/Python/commenting-out.py
user@disp769:~/sandbox$ yapf -i commenting-out.py
user@disp769:~/sandbox$ python3 commenting-out.py
You are an admin.
user@disp769:~/sandbox$
bandit
bandit skipped right over it
user@disp769:~/sandbox$ wget -qO commenting-out.py https://raw.githubusercontent.com/nickboucher/trojan-source/main/Python/commenting-out.py
user@disp769:~/sandbox$ bandit commenting-out.py
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.7.3
[node_visitor] INFO Unable to find qualified name for module: commenting-out.py
Run started:2021-11-14 23:04:46.645931
Test results:
No issues identified.
Code scanned:
Total lines of code: 3
Total lines skipped (#nosec): 0
Run metrics:
Total issues (by severity):
Undefined: 0.0
Low: 0.0
Medium: 0.0
High: 0.0
Total issues (by confidence):
Undefined: 0.0
Low: 0.0
Medium: 0.0
High: 0.0
Files skipped (0):
user@disp769:~/sandbox$ python3 commenting-out.py
You are an admin.
user@disp769:~/sandbox$
dodgy
dodgy didn't catch it
user@disp769:~/sandbox$ wget -qO commenting-out.py https://raw.githubusercontent.com/nickboucher/trojan-source/main/Python/commenting-out.py
user@disp769:~/sandbox$ dodgy commenting-out.py
{
"warnings": []
}
user@disp769:~/sandbox$ python3 commenting-out.py
You are an admin.
user@disp769:~/sandbox$
from buskill-app.
I crowdsourced this to Stack Overflow. Will revisit another day.
from buskill-app.
This was fixed by the following commit:
See also:
- https://tech.michaelaltfield.net/2021/11/22/bidi-unicode-github-defense/
- https://stackoverflow.com/questions/69968043/how-to-update-github-actions-ci-to-detect-trojan-code-commits-malicious-bidire
from buskill-app.
Related Issues (20)
- Mastodon PGP key fingerprint doesn't match the release signing key HOT 2
- Making the fonts optional HOT 3
- Unusual interpreter in all Python files HOT 7
- FileVault trigger HOT 7
- Cryptomator Trigger HOT 9
- Veracrypt Self-Destruct Trigger
- Documentation to setup with Qubes OS HOT 2
- Modular Triggers HOT 1
- ModuleNotFoundError: No module named 'encodings' HOT 3
- Screen Doesn't Lock on Linux (Linux Mint Cinnamon Desktop Environment) HOT 35
- Fix doc.buskill.in (404 error) HOT 7
- Detect already running BusKill apps
- [INFO] macOS: using third-party app EventScripts HOT 5
- Fix Windows Builds (upstream `curl` bug) HOT 8
- Fix MacOS Builds (`curl` dyld `Library not loaded` for `libunistring.2.dylib`) HOT 6
- Upgrade Fails on MacOS on Monterey & Ventura. HOT 32
- Fix MacOS Builds HOT 3
- Release v0.7.0 HOT 61
- Basic Keyboard Shortcuts
- PermissionError: [Errno 13] Permission denied: '/tmp/buskill.log' HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from buskill-app.