Mark,
On 11/19/21 13:46, Mark Thomas wrote:
On 19/11/2021 18:12, Christopher Schultz wrote:
All,
On 11/19/21 13:04, Christopher Schultz wrote:
All,
I've been (briefly) looking into using CheckStyle to try to detect
use of Unicode directional code points in source code to avoid things
like this:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42574
I don't believe the existing Unicode tool (specifically
AvoidEscapedUnicodeCharacters) can check for this sort of thing. It
seems more geared toward code /style/ than anything else, such as
banning certain byte sequences in files.
But it does look like the Regexp* tool(s) may be able to do it.
WDYT?
<!-- Look for Unicode directionality overrides -->
<module name="RegexpSingleline">
<property name="format"
value="[⁦-⁩‪-‮]" />
</module>
I have to fine an example of a file with this type of malicious
content to see if this rule will catch it. In general, are there any
objections to adding this to the checkstyle configuration?
I have a sample of this, now, and I have a grep command which
identifies the file properly, but my config in checkstyle above
results in the following error during "checkstyle":
BUILD FAILED
.../build.xml:824: Unable to process files: [
-- a list of what looks like every file in the whole project --
]
There is no indication of what the problem might be. :/
Do we need this?
Is the compiler setting that all source code is ISO-8859-1 not
sufficient to protect us from this?
Good question. It depends upon what encoding your code-editor expects.
If the source code is "in ISO-8859-1" but the code-editor uses UTF-8 for
whatever reason (including the fact that these types of characters might
be lurking in there, triggering the use of UTF-8), the programmer can be
tricked.
The same can be true of pull-requests, though GitHub has recently put in
notifications for files which contain these types of characters. I don't
know how it works with pull requests -- like whether or not the diffs
will be flagged, or if the emails generated to tell you about the diffs
have similar protections in them.
Or are you proposing this as a defence in depth option?
More so defense-in-depth. With checkstyle (or a similar tool) looking
for this foolishness, we can guarantee that we don't miss something
important if it happens to make it into a source file.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
