Trojan source - CVE-2021-42574,CVE-2021-42694 - warns when used our code
Categories
(Developer Infrastructure :: Lint and Formatting, task)
Tracking
(firefox96 fixed)
Tracking | Status | |
---|---|---|
firefox96 | --- | fixed |
People
(Reporter: mhoye, Assigned: Sylvestre)
References
Details
Attachments
(2 files)
In light of the fact that is now apparently possible to "hide" quite a lot of text in a visually non-detectable way in a file, by using Unicode BIDI and interlinear control characters.
https://www.trojansource.codes/
With that in mind, I'd like to propose an addition to our pre-compilation, pre-review step that either halts on or strips out Unicode BIDI and interlinear control characters from incoming patches.
We might also want to consider disallowing anything on the unicode "confusables" list from appearing anywhere but localization information.
Comment 1•3 years ago
|
||
This might be possible to achieve via a "regex" linter. These aren't the most efficient (as they run a regex against every line of every file), but they are as simple to add as dropping in a YAML file like this one:
https://searchfox.org/mozilla-central/source/tools/lint/cpp-virtual-final.yml
If a slightly more complex or third party linter is needed, there are some docs on creating a new one here:
https://firefox-source-docs.mozilla.org/code-quality/lint/create.html
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 2•3 years ago
|
||
Assignee | ||
Comment 3•3 years ago
|
||
Depends on D131086
Updated•3 years ago
|
Pushed by sledru@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b7f9f5d76e60 Add support for trojan source detection in mozlint r=linter-reviewers,ahal DONTBUILD https://hg.mozilla.org/integration/autoland/rev/bb07b9760564 mozlint: run trojan-source in the CI r=linter-reviewers,ahal DONTBUILD
Comment 5•2 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/b7f9f5d76e60
https://hg.mozilla.org/mozilla-central/rev/bb07b9760564
Assignee | ||
Updated•2 years ago
|
Updated•2 years ago
|
Description
•