Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add check for potential misuse of unicode #749

Open
CarliJoy opened this issue Nov 4, 2021 · 1 comment · May be fixed by #757
Open

Add check for potential misuse of unicode #749

CarliJoy opened this issue Nov 4, 2021 · 1 comment · May be fixed by #757
Labels
enhancement New feature or request

Comments

@CarliJoy
Copy link

CarliJoy commented Nov 4, 2021
edited

Is your feature request related to a problem? Please describe.
Recently some possible misuses of unicode characters were described.
See PEP 672 for a description.

Describe the solution you'd like
It would be nice to have some Bandit rules that can be configured:

  • An optional filter that enforces ASCII - only (excluding \u[0-9a-f]+, \b, \r, \x1A, \x1B) in all file contents
  • An optional filter that enforces ASCII only as filenames
  • An filter that looks for potential bad unicode chars and of course for \u[0-9a-f]+, \b, \r, \x1A, \x1B)
  • An filter that prevents using look alike characters of different language groups as a variable, class or function name

Describe alternatives you've considered
See linked PEP.
The content of the filters is of course up to debate.
@CarliJoy CarliJoy added the enhancement New feature or request label Nov 4, 2021
@CarliJoy CarliJoy mentioned this issue Nov 9, 2021
Closed
@Lucas-C
Copy link

Lucas-C commented Nov 9, 2021
edited

The vulnerability is detailed here: http://trojansource.codes

adversaries can attack the encoding of source code files to inject vulnerabilities
The trick is to use Unicode control characters to reorder tokens in source code at the encoding level.

Extract from the PDF white paper, section "VII. F - Defenses":

The simplest defense is to ban the use of text directionality control characters
If an application wishes to print text that requires Bidi overrides, developers can generate those characters using escape sequences rather than embedding potentially dangerous characters into source code.

I'm willing to work on a PR if maintainers at @PyCQA approve this feature

@twoertwein twoertwein mentioned this issue Nov 11, 2021
Open
@Lucas-C Lucas-C linked a pull request Nov 16, 2021 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

New check: B113: TrojanSource - Bidirectional control characters Lucas-C/bandit
2 participants
@Lucas-C @CarliJoy