Code Monkey home page Code Monkey logo

trojansourcedetector4dotnet's Introduction

๐Ÿ” Trojan Source detector for .NET

Simple CLI tool that allows you to analyze your .NET projects and detect vulnerabilities related to hidden characters in your source.

Nuget

Problem

According to a recent research by Cambridge University's Nicholas Boucher and Ross Anderson, there are two vulnerabilities that impact most code compilers.

These sorts of vulnerabilities have an impact on software supply chains; for example, if an attacker successfully commits code injection by deceiving human reviewers, future software is likely to inherit the vulnerability.

Problem in depth

  • Extended strings: make sections of string literals seem as code, having the same impact as comments and causing string comparison to fail.

  • Comment out: forces a comment to appear as code, which is then ignored.

  • Early returns: bypass a function by running a return statement that seems to be inside a comment.

The compilers support this unique code that you do not see, when compiling your application they interpret it creating a compiled application different from the one you see in your IDE.

Read about the complete problem and how it works at:

๐Ÿ“• Dotnetsafer Trojan source article

Solution:

Scan your project files to find hidden characters that your IDE does not interpret but the compiler does process.

Instalation

On CMD or PowerShell:

dotnet tool install --global TrojanSourceDetector --version 1.0.1

Usage

After install this dotnet tool, run in your cmd:

TrojanSourceDetector

and put your project/s full directory to scan.

Optional Commands

Flag Purpose
-Verbose (-v) Output the lines with problems both as they appear and with the unicode character tag displayed.
-ESC (-e) Exclude escape character (\u7F)
-BOM (-b) Exclude Unicode Byte-order Marks (\uFEFF)
-Whitelist (-w) Exclude whitelisted emojis (list included in tool)

If the first parameter is a valid folder, it will be used instead of prompting the user for a folder to scan.

Emoji whitelist source: https://www.unicode.org/Public/emoji/14.0/emoji-test.txt

Output / Demo

result

trojansourcedetector4dotnet's People

Contributors

jespanag avatar sharpninja avatar deepsource-io[bot] avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.