On 19/11/2021 18:12, Christopher Schultz wrote:
All,
On 11/19/21 13:04, Christopher Schultz wrote:
All,
I've been (briefly) looking into using CheckStyle to try to detect use
of Unicode directional code points in source code to avoid things like
this:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42574
I don't believe the existing Unicode tool (specifically
AvoidEscapedUnicodeCharacters) can check for this sort of thing. It
seems more geared toward code /style/ than anything else, such as
banning certain byte sequences in files.
But it does look like the Regexp* tool(s) may be able to do it.
WDYT?
<!-- Look for Unicode directionality overrides -->
<module name="RegexpSingleline">
<property name="format"
value="[⁦-⁩‪-‮]" />
</module>
I have to fine an example of a file with this type of malicious
content to see if this rule will catch it. In general, are there any
objections to adding this to the checkstyle configuration?
I have a sample of this, now, and I have a grep command which identifies
the file properly, but my config in checkstyle above results in the
following error during "checkstyle":
BUILD FAILED
.../build.xml:824: Unable to process files: [
-- a list of what looks like every file in the whole project --
]
There is no indication of what the problem might be. :/
Do we need this?
Is the compiler setting that all source code is ISO-8859-1 not
sufficient to protect us from this?
Or are you proposing this as a defence in depth option?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
