Summary

Add a code safety checker for some trojan source code attacks.

Review Request #11906 — Created Jan. 4, 2022 and submitted June 16, 2022, 1:24 p.m.

Information

Owner

chipx86

Repository

Review Board

Branch

release-5.0.x

Bugs

Depends On

~~11904~~, ~~11905~~

Reviewers

Groups

reviewboard

People

Description

This code safety checker looks for zero-width spaces and bi-directional
text in lines of code, flagging them when they appear and putting a
banner at the top of the diff.

Certain bi-directional Unicode characters can be used together to make
malicious code display one way and execute another way. For example,
code can appear to be inside of a comment, but instead be inside of a
string, opening up opportunities to circumvent access control checks or
other logic. This is CVE-2021-42574.

Similarly, zero-width spaces can make code appear one way and execute
another way. Languages that allow for Unicode characters in function
names or variable names may accept zero-width spaces as a legitimate
character in a name. To reviewers, an identifier with a zero-width space
would appear the same as an identifier without one. This can cause, for
instance, state checks to be circumvented.

If either issue is found in code, the file alert template will show a
section for the vulnerability with examples, so reviewers know the kind
of risks that could be hiding in the code. They're also given a link to
the CVE.

This does not currently address CVE-2021-42694, which enables attacks
similar to the zero-width space attach, but through homoglyphs
(separate Unicode characters that resemble another character, like an
"H"). That will be tackled separately.

Note that there are legitimate situations in which these characters may
appear. Depending on user feedback, we may want to offer options for
disabling these checks. At the moment, we're following what other tools
are doing and unconditionally checking the code.

Testing Done

Unit tests pass on Python 2 and 3.

Tested with a wide collection of trojan source files available at
https://github.com/nickboucher/trojan-source/

Commits

Summary	ID
Add a code safety checker for some trojan source code attacks. This code safety checker looks for zero-width spaces and bi-directional text in lines of code, flagging them when they appear and putting a banner at the top of the diff. Certain bi-directional Unicode characters can be used together to make malicious code display one way and execute another way. For example, code can appear to be inside of a comment, but instead be inside of a string, opening up opportunities to circumvent access control checks or other logic. This is CVE-2021-42574. Similarly, zero-width spaces can make code appear one way and execute another way. Languages that allow for Unicode characters in function names or variable names may accept zero-width spaces as a legitimate character in a name. To reviewers, an identifier with a zero-width space would appear the same as an identifier without one. This can cause, for instance, state checks to be circumvented. If either issue is found in code, the file alert template will show a section for the vulnerability with examples, so reviewers know the kind of risks that could be hiding in the code. They're also given a link to the CVE. This does not currently address CVE-2021-42694, which enables attacks similar to the zero-width space attach, but through homoglyphs (separate Unicode characters that resemble another character, like an "H"). That will be tackled separately. Note that there are legitimate situations in which these characters may appear. Depending on user feedback, we may want to offer options for disabling these checks. At the moment, we're following what other tools are doing and unconditionally checking the code.	dbaa4d5f211b92091b1c1fe0692d579199e8eb39

Summary

Add a code safety checker for some trojan source code attacks.

This code safety checker looks for zero-width spaces and bi-directional text in lines of code, flagging them when they appear and putting a banner at the top of the diff. Certain bi-directional Unicode characters can be used together to make malicious code display one way and execute another way. For example, code can appear to be inside of a comment, but instead be inside of a string, opening up opportunities to circumvent access control checks or other logic. This is CVE-2021-42574. Similarly, zero-width spaces can make code appear one way and execute another way. Languages that allow for Unicode characters in function names or variable names may accept zero-width spaces as a legitimate character in a name. To reviewers, an identifier with a zero-width space would appear the same as an identifier without one. This can cause, for instance, state checks to be circumvented. If either issue is found in code, the file alert template will show a section for the vulnerability with examples, so reviewers know the kind of risks that could be hiding in the code. They're also given a link to the CVE. This does not currently address CVE-2021-42694, which enables attacks similar to the zero-width space attach, but through homoglyphs (separate Unicode characters that resemble another character, like an "H"). That will be tackled separately. Note that there are legitimate situations in which these characters may appear. Depending on user feedback, we may want to offer options for disabling these checks. At the moment, we're following what other tools are doing and unconditionally checking the code.

dbaa4d5f211b92091b1c1fe0692d579199e8eb39

Files

Issues

Description	From	Last Updated
E501 line too long (80 > 79 characters)	reviewbot	Jan. 4, 2022, 10:16 p.m.
E501 line too long (80 > 79 characters)	reviewbot	Jan. 4, 2022, 10:16 p.m.
F401 're' imported but unused	reviewbot	Jan. 6, 2022, 3:15 a.m.
F841 local variable 'checks_map' is assigned to but never used	reviewbot	Jan. 6, 2022, 3:15 a.m.
F841 local variable 'checks_map' is assigned to but never used	reviewbot	Jan. 6, 2022, 3:15 a.m.
Shouldn't this be switched to SafeString as well?	maubin	June 8, 2022, 2:59 p.m.
Does this need to be back-ticked? Also should add a type (list of str)	maubin	June 14, 2022, 4:52 p.m.

flake8 failed.

JSHint passed.

flake8

reviewboard/codesafety/checkers/trojan_source.py (Diff revision 1)
The issue has been resolved. Show all issues
```
E501 line too long (80 > 79 characters)
```
reviewboard/codesafety/checkers/trojan_source.py (Diff revision 1)
The issue has been resolved. Show all issues
```
E501 line too long (80 > 79 characters)
```

Change Summary:

Fixed some line length issues.

Commits:

	Summary	ID
	Add a code safety checker for some trojan source code attacks. This code safety checker looks for zero-width spaces and bi-directional text in lines of code, flagging them when they appear and putting a banner at the top of the diff. Certain bi-directional Unicode characters can be used together to make malicious code display one way and execute another way. For example, code can appear to be inside of a comment, but instead be inside of a string, opening up opportunities to circumvent access control checks or other logic. This is CVE-2021-42574. Similarly, zero-width spaces can make code appear one way and execute another way. Languages that allow for Unicode characters in function names or variable names may accept zero-width spaces as a legitimate character in a name. To reviewers, an identifier with a zero-width space would appear the same as an identifier without one. This can cause, for instance, state checks to be circumvented. If either issue is found in code, the file alert template will show a section for the vulnerability with examples, so reviewers know the kind of risks that could be hiding in the code. They're also given a link to the CVE. This does not currently address CVE-2021-42694, which enables attacks similar to the zero-width space attach, but through homoglyphs (separate Unicode characters that resemble another character, like an "H"). That will be tackled separately. Note that there are legitimate situations in which these characters may appear. Depending on user feedback, we may want to offer options for disabling these checks. At the moment, we're following what other tools are doing and unconditionally checking the code.	bfaefbc2acee4ef965e6dd5aef8ce54430e515e8
	Add a code safety checker for some trojan source code attacks. This code safety checker looks for zero-width spaces and bi-directional text in lines of code, flagging them when they appear and putting a banner at the top of the diff. Certain bi-directional Unicode characters can be used together to make malicious code display one way and execute another way. For example, code can appear to be inside of a comment, but instead be inside of a string, opening up opportunities to circumvent access control checks or other logic. This is CVE-2021-42574. Similarly, zero-width spaces can make code appear one way and execute another way. Languages that allow for Unicode characters in function names or variable names may accept zero-width spaces as a legitimate character in a name. To reviewers, an identifier with a zero-width space would appear the same as an identifier without one. This can cause, for instance, state checks to be circumvented. If either issue is found in code, the file alert template will show a section for the vulnerability with examples, so reviewers know the kind of risks that could be hiding in the code. They're also given a link to the CVE. This does not currently address CVE-2021-42694, which enables attacks similar to the zero-width space attach, but through homoglyphs (separate Unicode characters that resemble another character, like an "H"). That will be tackled separately. Note that there are legitimate situations in which these characters may appear. Depending on user feedback, we may want to offer options for disabling these checks. At the moment, we're following what other tools are doing and unconditionally checking the code.	11a4139d174c7bb75ded5a2fcf523bd76de41c08

Diff:

Revision 2 (+1092 -2)

Show changes

	reviewboard/codesafety/checkers/registry.py
	reviewboard/codesafety/checkers/trojan_source.py
	reviewboard/codesafety/tests/test_trojan_source_code_safety_checker.py
	reviewboard/templates/codesafety/trojan_source_alert.html

Checks run (2 succeeded)

flake8 passed.

JSHint passed.

Depends On:

+	~~11904 - Add base support for code safety checkers.~~
+	~~11905 - Add a {% code_block %} template tag.~~

Change Summary:


Reworked the Unicode scanning to use a more flexible loop for iteration and line changing, in preparation for confusables support.
Shortened the result IDs, to reduce cache space.
Removed the hard-coded Unicode titles, in favor of unicodedata.name().
Reordered some unit test functions.

Commits:

	Summary	ID
	Add a code safety checker for some trojan source code attacks. This code safety checker looks for zero-width spaces and bi-directional text in lines of code, flagging them when they appear and putting a banner at the top of the diff. Certain bi-directional Unicode characters can be used together to make malicious code display one way and execute another way. For example, code can appear to be inside of a comment, but instead be inside of a string, opening up opportunities to circumvent access control checks or other logic. This is CVE-2021-42574. Similarly, zero-width spaces can make code appear one way and execute another way. Languages that allow for Unicode characters in function names or variable names may accept zero-width spaces as a legitimate character in a name. To reviewers, an identifier with a zero-width space would appear the same as an identifier without one. This can cause, for instance, state checks to be circumvented. If either issue is found in code, the file alert template will show a section for the vulnerability with examples, so reviewers know the kind of risks that could be hiding in the code. They're also given a link to the CVE. This does not currently address CVE-2021-42694, which enables attacks similar to the zero-width space attach, but through homoglyphs (separate Unicode characters that resemble another character, like an "H"). That will be tackled separately. Note that there are legitimate situations in which these characters may appear. Depending on user feedback, we may want to offer options for disabling these checks. At the moment, we're following what other tools are doing and unconditionally checking the code.	11a4139d174c7bb75ded5a2fcf523bd76de41c08
	Add a code safety checker for some trojan source code attacks. This code safety checker looks for zero-width spaces and bi-directional text in lines of code, flagging them when they appear and putting a banner at the top of the diff. Certain bi-directional Unicode characters can be used together to make malicious code display one way and execute another way. For example, code can appear to be inside of a comment, but instead be inside of a string, opening up opportunities to circumvent access control checks or other logic. This is CVE-2021-42574. Similarly, zero-width spaces can make code appear one way and execute another way. Languages that allow for Unicode characters in function names or variable names may accept zero-width spaces as a legitimate character in a name. To reviewers, an identifier with a zero-width space would appear the same as an identifier without one. This can cause, for instance, state checks to be circumvented. If either issue is found in code, the file alert template will show a section for the vulnerability with examples, so reviewers know the kind of risks that could be hiding in the code. They're also given a link to the CVE. This does not currently address CVE-2021-42694, which enables attacks similar to the zero-width space attach, but through homoglyphs (separate Unicode characters that resemble another character, like an "H"). That will be tackled separately. Note that there are legitimate situations in which these characters may appear. Depending on user feedback, we may want to offer options for disabling these checks. At the moment, we're following what other tools are doing and unconditionally checking the code.	5105919086bcf387da8c551632147b954d92a44d

Diff:

Revision 3 (+1034 -2)

Show changes

	reviewboard/codesafety/checkers/registry.py
	reviewboard/codesafety/checkers/trojan_source.py
	reviewboard/codesafety/tests/test_trojan_source_code_safety_checker.py
	reviewboard/templates/codesafety/trojan_source_alert.html

Checks run (1 failed, 1 succeeded)

flake8 failed.

JSHint passed.

flake8

reviewboard/codesafety/checkers/trojan_source.py (Diff revision 3)
The issue has been resolved. Show all issues
```
F401 're' imported but unused
```
reviewboard/codesafety/checkers/trojan_source.py (Diff revision 3)
The issue has been resolved. Show all issues
```
F841 local variable 'checks_map' is assigned to but never used
```
reviewboard/codesafety/checkers/trojan_source.py (Diff revision 3)
The issue has been resolved. Show all issues
```
F841 local variable 'checks_map' is assigned to but never used
```

Change Summary:


Removed unused variables and imports.
Switched the variable used to determine how many possible warnings can be found, for short-circuiting.

Commits:

	Summary	ID
	Add a code safety checker for some trojan source code attacks. This code safety checker looks for zero-width spaces and bi-directional text in lines of code, flagging them when they appear and putting a banner at the top of the diff. Certain bi-directional Unicode characters can be used together to make malicious code display one way and execute another way. For example, code can appear to be inside of a comment, but instead be inside of a string, opening up opportunities to circumvent access control checks or other logic. This is CVE-2021-42574. Similarly, zero-width spaces can make code appear one way and execute another way. Languages that allow for Unicode characters in function names or variable names may accept zero-width spaces as a legitimate character in a name. To reviewers, an identifier with a zero-width space would appear the same as an identifier without one. This can cause, for instance, state checks to be circumvented. If either issue is found in code, the file alert template will show a section for the vulnerability with examples, so reviewers know the kind of risks that could be hiding in the code. They're also given a link to the CVE. This does not currently address CVE-2021-42694, which enables attacks similar to the zero-width space attach, but through homoglyphs (separate Unicode characters that resemble another character, like an "H"). That will be tackled separately. Note that there are legitimate situations in which these characters may appear. Depending on user feedback, we may want to offer options for disabling these checks. At the moment, we're following what other tools are doing and unconditionally checking the code.	5105919086bcf387da8c551632147b954d92a44d
	Add a code safety checker for some trojan source code attacks. This code safety checker looks for zero-width spaces and bi-directional text in lines of code, flagging them when they appear and putting a banner at the top of the diff. Certain bi-directional Unicode characters can be used together to make malicious code display one way and execute another way. For example, code can appear to be inside of a comment, but instead be inside of a string, opening up opportunities to circumvent access control checks or other logic. This is CVE-2021-42574. Similarly, zero-width spaces can make code appear one way and execute another way. Languages that allow for Unicode characters in function names or variable names may accept zero-width spaces as a legitimate character in a name. To reviewers, an identifier with a zero-width space would appear the same as an identifier without one. This can cause, for instance, state checks to be circumvented. If either issue is found in code, the file alert template will show a section for the vulnerability with examples, so reviewers know the kind of risks that could be hiding in the code. They're also given a link to the CVE. This does not currently address CVE-2021-42694, which enables attacks similar to the zero-width space attach, but through homoglyphs (separate Unicode characters that resemble another character, like an "H"). That will be tackled separately. Note that there are legitimate situations in which these characters may appear. Depending on user feedback, we may want to offer options for disabling these checks. At the moment, we're following what other tools are doing and unconditionally checking the code.	1a4c67b6e5973ea3c6bd6d1bc186c17ec3b376f9

Diff:

Revision 4 (+1026 -2)

Show changes

	reviewboard/codesafety/checkers/registry.py
	reviewboard/codesafety/checkers/trojan_source.py
	reviewboard/codesafety/tests/test_trojan_source_code_safety_checker.py
	reviewboard/templates/codesafety/trojan_source_alert.html

Checks run (2 succeeded)

flake8 passed.

JSHint passed.

Ship it!

```
Ship It!
```

Change Summary:

Updated for Review Board 5.0:

Removed __future__ imports
Removed six usage
Changed version numbers in docstrings
Changed unicode to str in docstrings
Changed SafeText to SafeString.
Changed ugettext_lazy to gettext_lazy.

Commits:

	Summary	ID
	Add a code safety checker for some trojan source code attacks. This code safety checker looks for zero-width spaces and bi-directional text in lines of code, flagging them when they appear and putting a banner at the top of the diff. Certain bi-directional Unicode characters can be used together to make malicious code display one way and execute another way. For example, code can appear to be inside of a comment, but instead be inside of a string, opening up opportunities to circumvent access control checks or other logic. This is CVE-2021-42574. Similarly, zero-width spaces can make code appear one way and execute another way. Languages that allow for Unicode characters in function names or variable names may accept zero-width spaces as a legitimate character in a name. To reviewers, an identifier with a zero-width space would appear the same as an identifier without one. This can cause, for instance, state checks to be circumvented. If either issue is found in code, the file alert template will show a section for the vulnerability with examples, so reviewers know the kind of risks that could be hiding in the code. They're also given a link to the CVE. This does not currently address CVE-2021-42694, which enables attacks similar to the zero-width space attach, but through homoglyphs (separate Unicode characters that resemble another character, like an "H"). That will be tackled separately. Note that there are legitimate situations in which these characters may appear. Depending on user feedback, we may want to offer options for disabling these checks. At the moment, we're following what other tools are doing and unconditionally checking the code.	1a4c67b6e5973ea3c6bd6d1bc186c17ec3b376f9
	Add a code safety checker for some trojan source code attacks. This code safety checker looks for zero-width spaces and bi-directional text in lines of code, flagging them when they appear and putting a banner at the top of the diff. Certain bi-directional Unicode characters can be used together to make malicious code display one way and execute another way. For example, code can appear to be inside of a comment, but instead be inside of a string, opening up opportunities to circumvent access control checks or other logic. This is CVE-2021-42574. Similarly, zero-width spaces can make code appear one way and execute another way. Languages that allow for Unicode characters in function names or variable names may accept zero-width spaces as a legitimate character in a name. To reviewers, an identifier with a zero-width space would appear the same as an identifier without one. This can cause, for instance, state checks to be circumvented. If either issue is found in code, the file alert template will show a section for the vulnerability with examples, so reviewers know the kind of risks that could be hiding in the code. They're also given a link to the CVE. This does not currently address CVE-2021-42694, which enables attacks similar to the zero-width space attach, but through homoglyphs (separate Unicode characters that resemble another character, like an "H"). That will be tackled separately. Note that there are legitimate situations in which these characters may appear. Depending on user feedback, we may want to offer options for disabling these checks. At the moment, we're following what other tools are doing and unconditionally checking the code.	9fd5dc0f0360454526acb686efaa16733e3793c3

Branch:

-	release-4.0.x
+	release-5.0.x

Diff:

Revision 5 (+1014 -2)

Show changes

	reviewboard/codesafety/checkers/registry.py
	reviewboard/codesafety/checkers/trojan_source.py
	reviewboard/codesafety/tests/test_trojan_source_code_safety_checker.py
	reviewboard/templates/codesafety/trojan_source_alert.html

Checks run (2 succeeded)

flake8 passed.

JSHint passed.

Ship it!

```
Ship It!
```

```
Ship It!
```

reviewboard/codesafety/tests/test_trojan_source_code_safety_checker.py (Diff revision 5)
The issue has been resolved. Show all issues
```
Shouldn't this be switched to SafeString as well?
```

Change Summary:

Changed SafeText to SafeString.

Commits:

	Summary	ID
	Add a code safety checker for some trojan source code attacks. This code safety checker looks for zero-width spaces and bi-directional text in lines of code, flagging them when they appear and putting a banner at the top of the diff. Certain bi-directional Unicode characters can be used together to make malicious code display one way and execute another way. For example, code can appear to be inside of a comment, but instead be inside of a string, opening up opportunities to circumvent access control checks or other logic. This is CVE-2021-42574. Similarly, zero-width spaces can make code appear one way and execute another way. Languages that allow for Unicode characters in function names or variable names may accept zero-width spaces as a legitimate character in a name. To reviewers, an identifier with a zero-width space would appear the same as an identifier without one. This can cause, for instance, state checks to be circumvented. If either issue is found in code, the file alert template will show a section for the vulnerability with examples, so reviewers know the kind of risks that could be hiding in the code. They're also given a link to the CVE. This does not currently address CVE-2021-42694, which enables attacks similar to the zero-width space attach, but through homoglyphs (separate Unicode characters that resemble another character, like an "H"). That will be tackled separately. Note that there are legitimate situations in which these characters may appear. Depending on user feedback, we may want to offer options for disabling these checks. At the moment, we're following what other tools are doing and unconditionally checking the code.	9fd5dc0f0360454526acb686efaa16733e3793c3
	Add a code safety checker for some trojan source code attacks. This code safety checker looks for zero-width spaces and bi-directional text in lines of code, flagging them when they appear and putting a banner at the top of the diff. Certain bi-directional Unicode characters can be used together to make malicious code display one way and execute another way. For example, code can appear to be inside of a comment, but instead be inside of a string, opening up opportunities to circumvent access control checks or other logic. This is CVE-2021-42574. Similarly, zero-width spaces can make code appear one way and execute another way. Languages that allow for Unicode characters in function names or variable names may accept zero-width spaces as a legitimate character in a name. To reviewers, an identifier with a zero-width space would appear the same as an identifier without one. This can cause, for instance, state checks to be circumvented. If either issue is found in code, the file alert template will show a section for the vulnerability with examples, so reviewers know the kind of risks that could be hiding in the code. They're also given a link to the CVE. This does not currently address CVE-2021-42694, which enables attacks similar to the zero-width space attach, but through homoglyphs (separate Unicode characters that resemble another character, like an "H"). That will be tackled separately. Note that there are legitimate situations in which these characters may appear. Depending on user feedback, we may want to offer options for disabling these checks. At the moment, we're following what other tools are doing and unconditionally checking the code.	2349296d22a4d829aa07a4a5998985a0e80716ff

Diff:

Revision 6 (+1014 -2)

Show changes

	reviewboard/codesafety/checkers/registry.py
	reviewboard/codesafety/checkers/trojan_source.py
	reviewboard/codesafety/tests/test_trojan_source_code_safety_checker.py
	reviewboard/templates/codesafety/trojan_source_alert.html

Checks run (2 succeeded)

flake8 passed.

JSHint passed.

reviewboard/codesafety/checkers/trojan_source.py (Diff revision 6)

The issue has been resolved. Show all issues

Does this need to be back-ticked? Also should add a type (list of str)

chipx86 June 14, 2022, 4:35 p.m.

It does in this form. I'll update it to use the newer Keys: section.

Change Summary:

Modernized the docs for the dictionary keys returned in check_content.

Commits:

	Summary	ID
	Add a code safety checker for some trojan source code attacks. This code safety checker looks for zero-width spaces and bi-directional text in lines of code, flagging them when they appear and putting a banner at the top of the diff. Certain bi-directional Unicode characters can be used together to make malicious code display one way and execute another way. For example, code can appear to be inside of a comment, but instead be inside of a string, opening up opportunities to circumvent access control checks or other logic. This is CVE-2021-42574. Similarly, zero-width spaces can make code appear one way and execute another way. Languages that allow for Unicode characters in function names or variable names may accept zero-width spaces as a legitimate character in a name. To reviewers, an identifier with a zero-width space would appear the same as an identifier without one. This can cause, for instance, state checks to be circumvented. If either issue is found in code, the file alert template will show a section for the vulnerability with examples, so reviewers know the kind of risks that could be hiding in the code. They're also given a link to the CVE. This does not currently address CVE-2021-42694, which enables attacks similar to the zero-width space attach, but through homoglyphs (separate Unicode characters that resemble another character, like an "H"). That will be tackled separately. Note that there are legitimate situations in which these characters may appear. Depending on user feedback, we may want to offer options for disabling these checks. At the moment, we're following what other tools are doing and unconditionally checking the code.	2349296d22a4d829aa07a4a5998985a0e80716ff
	Add a code safety checker for some trojan source code attacks. This code safety checker looks for zero-width spaces and bi-directional text in lines of code, flagging them when they appear and putting a banner at the top of the diff. Certain bi-directional Unicode characters can be used together to make malicious code display one way and execute another way. For example, code can appear to be inside of a comment, but instead be inside of a string, opening up opportunities to circumvent access control checks or other logic. This is CVE-2021-42574. Similarly, zero-width spaces can make code appear one way and execute another way. Languages that allow for Unicode characters in function names or variable names may accept zero-width spaces as a legitimate character in a name. To reviewers, an identifier with a zero-width space would appear the same as an identifier without one. This can cause, for instance, state checks to be circumvented. If either issue is found in code, the file alert template will show a section for the vulnerability with examples, so reviewers know the kind of risks that could be hiding in the code. They're also given a link to the CVE. This does not currently address CVE-2021-42694, which enables attacks similar to the zero-width space attach, but through homoglyphs (separate Unicode characters that resemble another character, like an "H"). That will be tackled separately. Note that there are legitimate situations in which these characters may appear. Depending on user feedback, we may want to offer options for disabling these checks. At the moment, we're following what other tools are doing and unconditionally checking the code.	dbaa4d5f211b92091b1c1fe0692d579199e8eb39

Diff:

Revision 7 (+1018 -2)

Show changes

	reviewboard/codesafety/checkers/registry.py
	reviewboard/codesafety/checkers/trojan_source.py
	reviewboard/codesafety/tests/test_trojan_source_code_safety_checker.py
	reviewboard/templates/codesafety/trojan_source_alert.html

Checks run (2 succeeded)

flake8 passed.

JSHint passed.

Ship it!

```
Ship It!
```

Ship it!

```
Ship It!
```

Status: Closed (submitted)

Change Summary:

Pushed to release-5.0.x (3823d88)