Detects trojan source attacks that employ unicode bidi attacks to inject malicious code (security/detect-bidi-characters)
recommended config.
Detects cases of trojan source attacks that employ unicode bidi attacks to inject malicious code
The following publication on the topic of unicode characters attacks, dubbed Trojan Source: Invisible Vulnerabilities, has caused a lot of concern from potential supply chain attacks where adversaries are able to inject malicious code into the source code of a project, slipping by unseen in the code review process.
As an example, take the following code where RLO, LRI, PDI, IRI are placeholders to visualise the respective dangerous unicode characters:
#!/usr/bin/env node
var accessLevel = 'user';
if (accessLevel != 'userRLO LRI// Check if adminPDI IRI') {
console.log('You are an admin.');
}The code above, will be rendered by a text editor as follows:
#!/usr/bin/env node
var accessLevel = 'user';
if (accessLevel != 'user') {
// Check if admin
console.log('You are an admin.');
}By looking at the rendered code above, a user reviewing this code might not notice the injected malicious unicode characters which are actually changing the semantic and the behaviour of the actual code.
For more information on the topic, you're welcome to read on the official website trojansource.codes and the following source code repository which contains the source code of the publication.