All,
I've been (briefly) looking into using CheckStyle to try to detect use
of Unicode directional code points in source code to avoid things like this:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42574
I don't believe the existing Unicode tool (specifically
AvoidEscapedUnicodeCharacters) can check for this sort of thing. It
seems more geared toward code /style/ than anything else, such as
banning certain byte sequences in files.
But it does look like the Regexp* tool(s) may be able to do it.
WDYT?
<!-- Look for Unicode directionality overrides -->
<module name="RegexpSingleline">
<property name="format" value="[⁦-⁩‪-‮]" />
</module>
I have to fine an example of a file with this type of malicious content
to see if this rule will catch it. In general, are there any objections
to adding this to the checkstyle configuration?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
