New Rule: disallow bidirectional control characters and homoglyphs to mitigate trojan source attacks
See original GitHub issueRule details
disallow bidirectional control characters and homoglyphs in source code to mitigate CVE-2021-42574 and CVE-2021-42694
Related ECMAScript feature
Not a new feature, but to specifically disable certain characters supported by https://tc39.es/ecma262/#sec-unicode-format-control-characters
What type of rule is this?
Warns about a potential problem
Example code
// From the trojan source paper: https://www.trojansource.codes/trojan-source.pdf
var accessLevel = "user";
if (accessLevel != "user{U+202E} {U+2066}// Check if admin{U+2069} {U+2066}") {
console.log("You are an admin");
}
// Replacing {U+NNNN} in the code above with actual code points NNNN,
// the code would be rendered in bidirectional-aware tools as
if (accessLevel != "user") { // Check if admin
console.log("You are an admin");
}
// Another variant (CVE-2021-42694) is to use homoglyphs
// (characters that look similar) to, for example, declare a
// function with a name different from what one might expect
function sayHello() {
console.log("Hello, World!");
}
// Replacing H(U+0048) above with Н(U+041D) would declare a
// different function, even though they look visually similar.
function sayНello() {
console.log("Goodbye, World!");
}
// This invokes the second function even though it appears to
// be calling the first one.
sayНello();
Why should this rule be in the core instead of a plugin?
These vuneralbilities have a relatively wide security impact affecting multiple programming languages, adding it in core would help promote awareness of these issues and reduce the risks in the JS ecosystem while the JS engines work out a fix or other alternatives to mitigate this.
Participation
- I am willing to submit a pull request to implement this rule.
Additional comments
More information about these attacks can be found at https://www.trojansource.codes/. Also see the security announcement by Node.js: https://groups.google.com/g/nodejs-sec/c/_w6hoamG14E
Blog by the rust team about CVE-2021-42574: https://blog.rust-lang.org/2021/11/01/cve-2021-42574.html
Issue Analytics
- State:
- Created 2 years ago
- Reactions:6
- Comments:22 (11 by maintainers)
Top GitHub Comments
@mhofman i like this approach, though the team feels that the core isn’t the correct home for these rules. I’m talking with the eslint-plugin-security folks to see about getting that project restarted, as I think that would be the best home for such rules.
Yes, sorry, way too much going on. If you wouldn’t mind, you can suggest security related rules here:
https://github.com/nodesecurity/eslint-plugin-security
Still trying to get back around to fixing up that plugin but it’s the right place for rules like these.