Closed Bug 1738988 Opened 3 years ago Closed 2 years ago

Trojan source - CVE-2021-42574,CVE-2021-42694 - warns when used our code

Categories

(Developer Infrastructure :: Lint and Formatting, task)

Product:
Developer Infrastructure
Component:
Lint and Formatting
Type:
task

Tracking

(firefox96 fixed)

Status:
RESOLVED FIXED
Milestone:
96 Branch
Tracking Flags:
Tracking Status
firefox96 --- fixed

People

(Reporter: mhoye, Assigned: Sylvestre)

References

Details

Attachments

(2 files)

Bug 1738988 - Add support for trojan source detection in mozlint r?#linter-reviewers
48 bytes, text/x-phabricator-request
Details | Review
Bug 1738988 - mozlint: run trojan-source in the CI r?#linter-reviewers
48 bytes, text/x-phabricator-request
Details | Review

In light of the fact that is now apparently possible to "hide" quite a lot of text in a visually non-detectable way in a file, by using Unicode BIDI and interlinear control characters.

https://www.trojansource.codes/

With that in mind, I'd like to propose an addition to our pre-compilation, pre-review step that either halts on or strips out Unicode BIDI and interlinear control characters from incoming patches.

We might also want to consider disallowing anything on the unicode "confusables" list from appearing anywhere but localization information.

This might be possible to achieve via a "regex" linter. These aren't the most efficient (as they run a regex against every line of every file), but they are as simple to add as dropping in a YAML file like this one:
https://searchfox.org/mozilla-central/source/tools/lint/cpp-virtual-final.yml

If a slightly more complex or third party linter is needed, there are some docs on creating a new one here:
https://firefox-source-docs.mozilla.org/code-quality/lint/create.html

Assignee: nobody → sledru
Attachment #9250634 - Attachment description: Bug 1738988 - Add support for trojan source detect into in mozlint r?#linter-reviewers → Bug 1738988 - Add support for trojan source detection in mozlint r?#linter-reviewers
Pushed by sledru@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b7f9f5d76e60
Add support for trojan source detection in mozlint r=linter-reviewers,ahal DONTBUILD
https://hg.mozilla.org/integration/autoland/rev/bb07b9760564
mozlint: run trojan-source in the CI r=linter-reviewers,ahal DONTBUILD

https://hg.mozilla.org/mozilla-central/rev/b7f9f5d76e60
https://hg.mozilla.org/mozilla-central/rev/bb07b9760564

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox96: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 96 Branch
See Also: → 1742156
Summary: Strip Bidi and interlinear control characters from incoming patches. → Trojan source - CVE-2021-42574,CVE-2021-42694 - warns when used our code
Depends on: 1743088
Depends on: 1747276
No longer depends on: 1747276
Product: Firefox Build System → Developer Infrastructure
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: