Disallow LTR, RTL & co. characters in comments #49257
Labels
Comments
# for free
to subscribe to this conversation on GitHub.
Already have an account?
#.
{{ message }}
There's a new source code vulnerability (CVE-2021-42574) that also affects go source code, where attackers can manipulate comment strings to change the behaviour of an application in a way a reviewer will not easily recognize.
This is especially true for a statically compiled language like go, where developers are supposed to review their dependencies before they use it.
It's called "Trojan Source" and is explained here: https://trojansource.codes/
The page also links to the paper, showing the affected unicode characters.
POC: https://play.golang.org/p/UhpMaSsCgth
There was already a comment added here recently, but I think this vulnerability deserves it's own issue: #20209 (comment)
I suggest disallowing such characters in comment strings (or anywhere outside string literals), or - if possible - allowing them, as long as they only affect the content within their own scope/comment to continue support for other locales.
The alternative is for developers to depend on their IDEs/editors/review-tools to display such characters as problematic. Maybe the go playground should do the same?
Note that github already marks such files as potentially dangerous: https://github.com/nickboucher/trojan-source/blob/main/Go/commenting-out.go
Does this issue reproduce with the latest release?
yes
The text was updated successfully, but these errors were encountered: