flake8
-
reviewboard/codesafety/checkers/trojan_source.py (Diff revision 1) Show all issues -
reviewboard/codesafety/checkers/trojan_source.py (Diff revision 1) E501 line too long (80 > 79 characters)
Review Request #11906 — Created Jan. 4, 2022 and submitted
Information | |
---|---|
chipx86 | |
Review Board | |
release-5.0.x | |
|
|
Reviewers | |
reviewboard | |
This code safety checker looks for zero-width spaces and bi-directional
text in lines of code, flagging them when they appear and putting a
banner at the top of the diff.Certain bi-directional Unicode characters can be used together to make
malicious code display one way and execute another way. For example,
code can appear to be inside of a comment, but instead be inside of a
string, opening up opportunities to circumvent access control checks or
other logic. This is CVE-2021-42574.Similarly, zero-width spaces can make code appear one way and execute
another way. Languages that allow for Unicode characters in function
names or variable names may accept zero-width spaces as a legitimate
character in a name. To reviewers, an identifier with a zero-width space
would appear the same as an identifier without one. This can cause, for
instance, state checks to be circumvented.If either issue is found in code, the file alert template will show a
section for the vulnerability with examples, so reviewers know the kind
of risks that could be hiding in the code. They're also given a link to
the CVE.This does not currently address CVE-2021-42694, which enables attacks
similar to the zero-width space attach, but through homoglyphs
(separate Unicode characters that resemble another character, like an
"H"). That will be tackled separately.Note that there are legitimate situations in which these characters may
appear. Depending on user feedback, we may want to offer options for
disabling these checks. At the moment, we're following what other tools
are doing and unconditionally checking the code.
Unit tests pass on Python 2 and 3.
Tested with a wide collection of trojan source files available at
https://github.com/nickboucher/trojan-source/
Summary | |
---|---|
Description | From | Last Updated |
---|---|---|
E501 line too long (80 > 79 characters) |
![]() |
|
E501 line too long (80 > 79 characters) |
![]() |
|
F401 're' imported but unused |
![]() |
|
F841 local variable 'checks_map' is assigned to but never used |
![]() |
|
F841 local variable 'checks_map' is assigned to but never used |
![]() |
|
Shouldn't this be switched to SafeString as well? |
![]() |
|
Does this need to be back-ticked? Also should add a type (list of str) |
![]() |
reviewboard/codesafety/checkers/trojan_source.py (Diff revision 1) |
---|
reviewboard/codesafety/checkers/trojan_source.py (Diff revision 1) |
---|
E501 line too long (80 > 79 characters)
Fixed some line length issues.
Commits: |
|
|||||||||
---|---|---|---|---|---|---|---|---|---|---|
Diff: |
Revision 2 (+1092 -2) |
unicodedata.name()
.Commits: |
|
|||||||||
---|---|---|---|---|---|---|---|---|---|---|
Diff: |
Revision 3 (+1034 -2) |
reviewboard/codesafety/checkers/trojan_source.py (Diff revision 3) |
---|
F841 local variable 'checks_map' is assigned to but never used
reviewboard/codesafety/checkers/trojan_source.py (Diff revision 3) |
---|
F841 local variable 'checks_map' is assigned to but never used
Commits: |
|
|||||||||
---|---|---|---|---|---|---|---|---|---|---|
Diff: |
Revision 4 (+1026 -2) |
Updated for Review Board 5.0:
__future__
importssix
usageunicode
to str
in docstringsSafeText
to SafeString
.ugettext_lazy
to gettext_lazy
.Commits: |
|
|||||||||
---|---|---|---|---|---|---|---|---|---|---|
Branch: |
|
|||||||||
Diff: |
Revision 5 (+1014 -2) |
reviewboard/codesafety/tests/test_trojan_source_code_safety_checker.py (Diff revision 5) |
---|
Shouldn't this be switched to
SafeString
as well?
Changed
SafeText
toSafeString
.
Commits: |
|
|||||||||
---|---|---|---|---|---|---|---|---|---|---|
Diff: |
Revision 6 (+1014 -2) |
reviewboard/codesafety/checkers/trojan_source.py (Diff revision 6) |
---|
Does this need to be back-ticked? Also should add a type
(list of str)
Modernized the docs for the dictionary keys returned in
check_content
.
Commits: |
|
|||||||||
---|---|---|---|---|---|---|---|---|---|---|
Diff: |
Revision 7 (+1018 -2) |