Add support to detect CVE-2021-42574? #776
Comments
|
Interesting idea. Are you willing to implement that? |
|
Give me advice on how to do it and I may be able to implement it. Regarding compilers. what you comment is specific for GCC, but I'm not sure we can modify all possible compilers (too much work, I guess) :/ |
|
Related: pylint-dev/pylint#5281 |
|
Lot's of testcases here: https://github.com/nickboucher/trojan-source |
Sure, you'll need to add a new check derived from I would take inspiration from the script provided here: https://access.redhat.com/security/vulnerabilities/RHSB-2021-007#diagnostic-tools One tricky part would be how to filter files that should be checked? Do you want to do it based on
Sure, the characters can be also in different programming languages. |
|
@kraptor Are you still interested in implementing this check? |
|
I'm not sure how much time do I have to do this... maybe during the hackweek? Anyway, I forked and created a Is there any other check I can use for inspiration? Also, what's the best place to add a testcase and how to do it? |
|
You likely want to read lines like here: rpmlint/rpmlint/checks/LogrotateCheck.py Lines 43 to 45 in fc5303f and check for the special unicode sequences. Testes can be put under |
It would be interesting if we could add support to detect Unicode attacks within source code automatically, or at least to bring attention to the packager so she's aware there might be an issue and double check.
The text was updated successfully, but these errors were encountered: