You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
The vulnerability is detailed here: https://trojansource.codes
adversaries can attack the encoding of source code files to inject vulnerabilities
The trick is to use Unicode control characters to reorder tokens in source code at the encoding level.
Describe the solution you'd like
Could a new check be added to bandit to detect those characters?
Describe alternatives you've considered
Using a language-agnostic linter tool detecting this vulnerability,
but I do not know any existing one so far.
Additional context
The text was updated successfully, but these errors were encountered:
May be a bit less strict, as the article mention, unterminated bidirectionnal control character ?
I still haven't use those type of character, but I presume they are usefull for right to left languages. I assume banning all control chars would prevent writing comment in those languages ?
It's probably harder to implement though.
Appart from that, I think it's a great idea to implent those checks in tools, to not rely on human eye !
It is recommended as part of the PDF white paper, section "VII. F - Defenses":
The simplest defense is to ban the use of text directionality control characters
If an application wishes to print text that requires Bidi overrides, developers can generate those characters using escape sequences rather than embedding potentially dangerous characters into source code.
Please note #749 where I already opened an issue for the same topic.
Especially have a look at the linked ticket there that explains the issue in detail for python!
Is your feature request related to a problem? Please describe.
The vulnerability is detailed here: https://trojansource.codes
Describe the solution you'd like
Could a new check be added to
bandit
to detect those characters?Describe alternatives you've considered
Using a language-agnostic linter tool detecting this vulnerability,
but I do not know any existing one so far.
Additional context
The text was updated successfully, but these errors were encountered: