Supply-chain attack using invisible code hits GitHub and other repositories
4 points by sibexico
4 points by sibexico
The whole "invisible to reviewers omg!" bit feels very sensationist here. There's a call to eval sitting in plain sight! If that's not a screaming red flag I don't know what is.
Making the eval look natural will be the challenge for attackers, but it's definitely not impossible.
The obvious solution is for tooling to actually point out invisible characters are there.
Making the eval look natural will be the challenge for attackers, but it's definitely not impossible.
Depends on the maintainer I guess, but like ... if a patch contains eval, I'm rejecting it unless it's literally part of a REPL/compiler or dev-time tooling. There is simply no excuse in a web library.
One similar thing an attacker can do is to use two visually identical (even better with confusables…) but distinct identifier to backdoor one rarely-executed logical branch.
For example, nested functions could be a convenient way to introduce false shadowing while in reality there is a capture.
The Rust compiler has a surprisingly comprehensive set of lints for detecting that kind of thing (thanks Manish!), including one that account for how likely is a, for example, Cyrillic e to be in an identifier given the other chars. Mixing and matching between different scripts that don't go together gets flagged. You can deny non-ascii in general but that is opt-in. GitHub already lints against the Trojan source RTL codepoints, that machinery could be extended to all of these cases too.
Oh, that's great! Sounds like it goes further than just checking if there are two confusable or normalisation-conflicting identifiers. I was just saying about things þat happen when neither the language implementation nor the forge pays any attention (while non-ASCII identifiers are allowed), but it's good that Rust is careful about that.
"Let's make everything a rendered web page. Yes, even the code itself. No, I can't imagine how that can be abused. Oh, like that? No, no - nobody will ever do that. It'll be fine."
That's precisely the discussion about everything web. Text based email does work, but some people just don't see the problem in having links and text that don't correspond with what you see, or invisible stuff getting downloaded and run without any restrictions.
When my text-based email program doesn't know how to show unicode, it shows the characters making up the unicode, so nothing can be hidden. That's how it should be, although some people have taken the position that the code is broken and it shouldn't do that. Apparently they want attack vectors.