Summary:

Add a code safety checker for some trojan source code attacks.

Review Request #11906 — Created Jan. 4, 2022 and submitted June 16, 2022, 1:24 p.m.

Information
Owner:	chipx86
Repository:	Review Board
Branch:	release-5.0.x
Bugs:
Depends On:	~~11904~~, ~~11905~~
Reviewers
Groups:	reviewboard
People:

Description

This code safety checker looks for zero-width spaces and bi-directional
text in lines of code, flagging them when they appear and putting a
banner at the top of the diff.

Certain bi-directional Unicode characters can be used together to make
malicious code display one way and execute another way. For example,
code can appear to be inside of a comment, but instead be inside of a
string, opening up opportunities to circumvent access control checks or
other logic. This is CVE-2021-42574.

Similarly, zero-width spaces can make code appear one way and execute
another way. Languages that allow for Unicode characters in function
names or variable names may accept zero-width spaces as a legitimate
character in a name. To reviewers, an identifier with a zero-width space
would appear the same as an identifier without one. This can cause, for
instance, state checks to be circumvented.

If either issue is found in code, the file alert template will show a
section for the vulnerability with examples, so reviewers know the kind
of risks that could be hiding in the code. They're also given a link to
the CVE.

This does not currently address CVE-2021-42694, which enables attacks
similar to the zero-width space attach, but through homoglyphs
(separate Unicode characters that resemble another character, like an
"H"). That will be tackled separately.

Note that there are legitimate situations in which these characters may
appear. Depending on user feedback, we may want to offer options for
disabling these checks. At the moment, we're following what other tools
are doing and unconditionally checking the code.

Testing Done

Unit tests pass on Python 2 and 3.

Tested with a wide collection of trojan source files available at
https://github.com/nickboucher/trojan-source/

Commits

Summary
	Add a code safety checker for some trojan source code attacks.

Screenshots

Files

Issues

Description	From	Last Updated
E501 line too long (80 > 79 characters)	reviewbot	Jan. 4, 2022, 10:16 p.m.
E501 line too long (80 > 79 characters)	reviewbot	Jan. 4, 2022, 10:16 p.m.
F401 're' imported but unused	reviewbot	Jan. 6, 2022, 3:15 a.m.
F841 local variable 'checks_map' is assigned to but never used	reviewbot	Jan. 6, 2022, 3:15 a.m.
F841 local variable 'checks_map' is assigned to but never used	reviewbot	Jan. 6, 2022, 3:15 a.m.
Shouldn't this be switched to SafeString as well?	maubin	June 8, 2022, 2:59 p.m.
Does this need to be back-ticked? Also should add a type (list of str)	maubin	June 14, 2022, 4:52 p.m.

flake8 failed.

JSHint passed.

flake8

reviewboard/codesafety/checkers/trojan_source.py (Diff revision 1)
Show all issues
```
E501 line too long (80 > 79 characters)
```
reviewboard/codesafety/checkers/trojan_source.py (Diff revision 1)
Show all issues
```
E501 line too long (80 > 79 characters)
```

Change Summary:

Fixed some line length issues.

Commits:

	Summary
-		Add a code safety checker for some trojan source code attacks.
+		Add a code safety checker for some trojan source code attacks.

Diff:

Revision 2 (+1092 -2)

Show changes

	reviewboard/codesafety/checkers/registry.py
	reviewboard/codesafety/checkers/trojan_source.py
	reviewboard/codesafety/tests/test_trojan_source_code_safety_checker.py
	reviewboard/templates/codesafety/trojan_source_alert.html

Checks run (2 succeeded)

flake8 passed.

JSHint passed.

Depends On:

+	~~11904 - Add base support for code safety checkers.~~
+	~~11905 - Add a {% code_block %} template tag.~~

Change Summary:


Reworked the Unicode scanning to use a more flexible loop for iteration and line changing, in preparation for confusables support.
Shortened the result IDs, to reduce cache space.
Removed the hard-coded Unicode titles, in favor of unicodedata.name().
Reordered some unit test functions.

Commits:

	Summary
-		Add a code safety checker for some trojan source code attacks.
+		Add a code safety checker for some trojan source code attacks.

Diff:

Revision 3 (+1034 -2)

Show changes

	reviewboard/codesafety/checkers/registry.py
	reviewboard/codesafety/checkers/trojan_source.py
	reviewboard/codesafety/tests/test_trojan_source_code_safety_checker.py
	reviewboard/templates/codesafety/trojan_source_alert.html

Checks run (1 failed, 1 succeeded)

flake8 failed.

JSHint passed.

flake8

reviewboard/codesafety/checkers/trojan_source.py (Diff revision 3)
Show all issues
```
F401 're' imported but unused
```
reviewboard/codesafety/checkers/trojan_source.py (Diff revision 3)
Show all issues
```
F841 local variable 'checks_map' is assigned to but never used
```
reviewboard/codesafety/checkers/trojan_source.py (Diff revision 3)
Show all issues
```
F841 local variable 'checks_map' is assigned to but never used
```

Change Summary:


Removed unused variables and imports.
Switched the variable used to determine how many possible warnings can be found, for short-circuiting.

Commits:

	Summary
-		Add a code safety checker for some trojan source code attacks.
+		Add a code safety checker for some trojan source code attacks.

Diff:

Revision 4 (+1026 -2)

Show changes

	reviewboard/codesafety/checkers/registry.py
	reviewboard/codesafety/checkers/trojan_source.py
	reviewboard/codesafety/tests/test_trojan_source_code_safety_checker.py
	reviewboard/templates/codesafety/trojan_source_alert.html

Checks run (2 succeeded)

flake8 passed.

JSHint passed.

Ship it!

```
Ship It!
```

Change Summary:

Updated for Review Board 5.0:

Removed __future__ imports
Removed six usage
Changed version numbers in docstrings
Changed unicode to str in docstrings
Changed SafeText to SafeString.
Changed ugettext_lazy to gettext_lazy.

Commits:

	Summary
-		Add a code safety checker for some trojan source code attacks.
+		Add a code safety checker for some trojan source code attacks.

Branch:

-	release-4.0.x
+	release-5.0.x

Diff:

Revision 5 (+1014 -2)

Show changes

	reviewboard/codesafety/checkers/registry.py
	reviewboard/codesafety/checkers/trojan_source.py
	reviewboard/codesafety/tests/test_trojan_source_code_safety_checker.py
	reviewboard/templates/codesafety/trojan_source_alert.html

Checks run (2 succeeded)

flake8 passed.

JSHint passed.

Ship it!

```
Ship It!
```

```
Ship It!
```

reviewboard/codesafety/tests/test_trojan_source_code_safety_checker.py (Diff revision 5)
Show all issues
```
Shouldn't this be switched to SafeString as well?
```

Change Summary:

Changed SafeText to SafeString.

Commits:

	Summary
-		Add a code safety checker for some trojan source code attacks.
+		Add a code safety checker for some trojan source code attacks.

Diff:

Revision 6 (+1014 -2)

Show changes

	reviewboard/codesafety/checkers/registry.py
	reviewboard/codesafety/checkers/trojan_source.py
	reviewboard/codesafety/tests/test_trojan_source_code_safety_checker.py
	reviewboard/templates/codesafety/trojan_source_alert.html

Checks run (2 succeeded)

flake8 passed.

JSHint passed.

reviewboard/codesafety/checkers/trojan_source.py (Diff revision 6)

Show all issues

Does this need to be back-ticked? Also should add a type (list of str)

chipx86 June 14, 2022, 4:35 p.m.

It does in this form. I'll update it to use the newer Keys: section.

Change Summary:

Modernized the docs for the dictionary keys returned in check_content.

Commits:

	Summary
-		Add a code safety checker for some trojan source code attacks.
+		Add a code safety checker for some trojan source code attacks.

Diff:

Revision 7 (+1018 -2)

Show changes

	reviewboard/codesafety/checkers/registry.py
	reviewboard/codesafety/checkers/trojan_source.py
	reviewboard/codesafety/tests/test_trojan_source_code_safety_checker.py
	reviewboard/templates/codesafety/trojan_source_alert.html

Checks run (2 succeeded)

flake8 passed.

JSHint passed.

Ship it!

```
Ship It!
```

Ship it!

```
Ship It!
```

Status: Closed (submitted)

Change Summary:

Pushed to release-5.0.x (3823d88)