Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

New Rule: disallow bidirectional control characters and homoglyphs to mitigate trojan source attacks

See original GitHub issue

Rule details

disallow bidirectional control characters and homoglyphs in source code to mitigate CVE-2021-42574 and CVE-2021-42694

Related ECMAScript feature

Not a new feature, but to specifically disable certain characters supported by https://tc39.es/ecma262/#sec-unicode-format-control-characters

What type of rule is this?

Warns about a potential problem

Example code

// From the trojan source paper: https://www.trojansource.codes/trojan-source.pdf

var accessLevel = "user";
if (accessLevel != "user{U+202E} {U+2066}// Check if admin{U+2069} {U+2066}") {
  console.log("You are an admin");
}

// Replacing {U+NNNN} in the code above with actual code points NNNN,
// the code would be rendered in bidirectional-aware tools as

if (accessLevel != "user") { // Check if admin
  console.log("You are an admin");
}

// Another variant (CVE-2021-42694) is to use homoglyphs
// (characters that look similar) to, for example, declare a
// function with a name different from what one might expect
function sayHello() {
  console.log("Hello, World!");
}

// Replacing H(U+0048) above with Н(U+041D) would declare a
// different function, even though they look visually similar.
function sayНello() {
  console.log("Goodbye, World!");
}

// This invokes the second function even though it appears to
// be calling the first one.
sayНello();

Why should this rule be in the core instead of a plugin?

These vuneralbilities have a relatively wide security impact affecting multiple programming languages, adding it in core would help promote awareness of these issues and reduce the risks in the JS ecosystem while the JS engines work out a fix or other alternatives to mitigate this.

Participation

I am willing to submit a pull request to implement this rule.

Additional comments

More information about these attacks can be found at https://www.trojansource.codes/. Also see the security announcement by Node.js: https://groups.google.com/g/nodejs-sec/c/_w6hoamG14E

Blog by the rust team about CVE-2021-42574: https://blog.rust-lang.org/2021/11/01/cve-2021-42574.html

Issue Analytics

State:
Created 2 years ago
Reactions:6
Comments:22 (11 by maintainers)

Top GitHub Comments

4reactions

nzakascommented, Nov 11, 2021

@mhofman i like this approach, though the team feels that the core isn’t the correct home for these rules. I’m talking with the eslint-plugin-security folks to see about getting that project restarted, as I think that would be the best home for such rules.

1reaction

nzakascommented, Oct 27, 2022

Yes, sorry, way too much going on. If you wouldn’t mind, you can suggest security related rules here:

https://github.com/nodesecurity/eslint-plugin-security

Still trying to get back around to fixing up that plugin but it’s the right place for rules like these.