Comments (8)
fyi, I hacked-up a simple GitHub Actions workflow that looks for Unicode characters in the changes made for a given PR
If any unicode characters were added in the commits comprising the PR, it adds a comment to the PR with the text
WARNING: Unicode characters found in diff!
Example PR:
If no unicode characters were found in the diff, it adds the comment
INFO: No unicode characters found in PR's commits
EDIT: I published a small write-up about how to use this here:
from trojan-source.
If you are using VSCode (desktop app, online, GitHub codespaces, etc.), I have used the Highlight Bad Chars extension to detect weird dashes and spaces in the past and it does show the BiDi characters. This will at least let you know if there are bad characters there.
I've also noted that GitHub is now displaying a warning when viewing BiDi trojan source attacks in the web UI.
from trojan-source.
A GitHub action would also be useful for developers to quickly add to their workflows.
from trojan-source.
While the VS Code extensions are nice, and even some improvements to the default VS Code settings and on GitHub, it's just not enough and you can't force everyone to download these extensions. Instead, adding the ESLint plugin to surface such issues in the CI and break it before changes are merged is more actionable and secure than trusting that all developers adhere to specific extensions and setups.
from trojan-source.
@jhollowe agree about the GitHub Action idea. That would be a super nice thing. Would you like to submit a pull request on the anti-trojan-source repo that creates one? I'll be happy to merge it in and submit to the marketplace.
from trojan-source.
Isn't there a "trusting trust" issue with such codes that attempt to identify bidi attacks?
from trojan-source.
I agree that extensions are not the best way to mitigate this, but itโs a good start until the IDE implements checks for this natively. I created the ShaneRay.InvisibleCharacterVisualizer Visual Studio extension awhile back that seems to catch a lot of these. Going to try and update it in the coming weeks to catch the homoglyph-function.csx cases and add support for VS 2022.
from trojan-source.
In terms of detection, the to-be-released GCC 12 has a new -Wbidi-chars
warning for this (I helped implement it).
I wrote a blog post about the detection features here:
https://developers.redhat.com/articles/2022/01/12/prevent-trojan-source-attacks-gcc-12
which shows what GCC 12 emits for the various test cases in this repository, along with some others notes relating to the issue that others may find helpful.
Hope this is constructive [and not just shameless self-promotion :) ]
from trojan-source.
Related Issues (12)
- Python3 returns syntax error: HOT 1
- Does an homoglyphe function concerned by Trojan source? HOT 1
- invisible-function.c and homoglyph-function.c cant be build with gcc <= 9.1, but successful with gcc 11.2
- The attack is known, not novel HOT 9
- Doubt regarding early-return.py example HOT 4
- Tools to detect possible attacks HOT 1
- เถ
- That's poor editor attack vector not compiler/code/interpreter HOT 2
- Provide an example of propper use for reference HOT 1
- Early return and comment out in languages without closing comment token? HOT 2
- Variations on Stretched String HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from trojan-source.