Update the Trojan Source scanner for Unicode confusables/homoglyphs.

 






 

 


  Review Request #11908
  —
  Created Jan. 6, 2022 and submitted  — Latest diff uploaded 

 


















 

  

   Information

  





 
 

  chipx86
 









 
 

  Review Board
 









 
 

  release-5.0.x
 









 
 

  
 









 
 

  
 






 




 

  

   Reviewers

  





 
 

  reviewboard
 









 
 

  
 






 








 





  


 
 

  
The Trojan Source scanner now looks for certain Unicode characters that

appear as standard latin1 characters, like A-Z, a-z, 0-9, etc. These can

be used by a malicious developer to try to sneak in logic that appears

to define or make use of a function, class, variable, etc. with one

name, while actually using a completely different name.


This is CVE-2021-42694.


This sort of scanning must be done carefully. There are a lot of

perfectly valid Unicode characters out there, and we don't want to check

them all, assume they're all nefarious.


What we instead do is check only confusables that meet the following

criteria:


    

  1. Has a codepoint >= 128 (avoiding issues with, say, "1" vs" "l").
    2. 

  2. Can be confused with a COMMON or LATIN Unicode character (ones most
    
   likely to be legitimately used in function names or other code)
    3. 

  3. Is not itself a COMMON or LATIN Unicode character.
    4. 



To generate the mapping, we have a new

./contrib/internal/build-confusables.py file, which will pull down the

latest datasets from unicode.org and generate a resulting

reviewboard/codesafety/_unicode_confusables.py file.


This is not perfect. People may find that some comments or strings

trigger a warning. Ideally, we'd be able to selectively apply these

tests depending on where it appears, but we're not in a position to do

that yet. Still, most of these should probably not be hit often in

practice.


Possible areas of future expansion would be to allow these if beside

other characters from the same script that are not themselves

confusables. This could be attempted if we get feedback later stating

that too many false-positives are being generated.


There is one major caveat to this implementation: it largely requires

wide Unicode character support, so that surrogate pairs appear as one

character/codepoint and not multiple.


This is always the case on Python 3. For Python 2, it depends on how

CPython was compiled. If wide support is not enabled, certain characters

cannot be found.

 








  


 
 

  
Unit tests pass on Python 2 (without wide support) and Python 3.


Tested with all the test code sets provided on

https://github.com/nickboucher/trojan-source/

 







 









 





  








 

  
  


   

    

     

     

     

    

   


   

    

     

     

     

    

   


   

  

 





 







   

    
    

    

    


    

      
Commits

      

        
      

    


    


      
Files


      

       
      

    

    

   

  

 





    


    

    





     
    
    
    
   
    
  
    
  
    
   
   Loading...