Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support to detect CVE-2021-42574? #776

Open
kraptor opened this issue Dec 30, 2021 · 8 comments
Open

Add support to detect CVE-2021-42574? #776

kraptor opened this issue Dec 30, 2021 · 8 comments

Comments

@kraptor
Copy link
Contributor

kraptor commented Dec 30, 2021

It would be interesting if we could add support to detect Unicode attacks within source code automatically, or at least to bring attention to the packager so she's aware there might be an issue and double check.

@marxin
Copy link
Contributor

marxin commented Dec 30, 2021

Interesting idea. Are you willing to implement that?
Note one will be able to use -Wbidi-chars GCC option (starting with GCC 12.1.0).

@kraptor
Copy link
Contributor Author

kraptor commented Dec 30, 2021

Give me advice on how to do it and I may be able to implement it.

Regarding compilers. what you comment is specific for GCC, but I'm not sure we can modify all possible compilers (too much work, I guess) :/

@kraptor
Copy link
Contributor Author

kraptor commented Dec 30, 2021

Related: pylint-dev/pylint#5281

@kraptor
Copy link
Contributor Author

kraptor commented Dec 30, 2021

Lot's of testcases here: https://github.com/nickboucher/trojan-source

@marxin
Copy link
Contributor

marxin commented Dec 30, 2021

Give me advice on how to do it and I may be able to implement it.

Sure, you'll need to add a new check derived from AbstractFilesCheck in rpmlint/checks and register the check in configdefaults.toml file.

I would take inspiration from the script provided here: https://access.redhat.com/security/vulnerabilities/RHSB-2021-007#diagnostic-tools

One tricky part would be how to filter files that should be checked? Do you want to do it based on MIME type or extension?
I'm also curious about the speed of the check, we'll see.

Regarding compilers. what you comment is specific for GCC, but I'm not sure we can modify all possible compilers (too much work, I guess) :/

Sure, the characters can be also in different programming languages.

@marxin
Copy link
Contributor

marxin commented May 11, 2022

@kraptor Are you still interested in implementing this check?

@kraptor
Copy link
Contributor Author

kraptor commented May 11, 2022

I'm not sure how much time do I have to do this... maybe during the hackweek? Anyway, I forked and created a BidirectionalUnicodeCheck class.

Is there any other check I can use for inspiration? Also, what's the best place to add a testcase and how to do it?

@marxin
Copy link
Contributor

marxin commented May 12, 2022

You likely want to read lines like here:

with open('/'.join((root, f))) as fd:
currentdirs = []
for line in fd.readlines():

and check for the special unicode sequences.

Testes can be put under test folder, please take a look there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants